Texas Comptroller Susan Combs (Associated Press)

A sense of security disappeared earlier this year for about 3.5 million Texans. One state worker who answered our post on Facebook said he received a letter from Texas Comptroller Susan Combs’ office this spring, saying – like the others – some of his most personal information had been inadvertently placed on a public server.

The man said his social security number was soon used in two other states by another individual, though he also said the state has told him it had nothing to do with his case and did not take responsibility. Still, the leak did include millions of residents’ social security numbers plus driver’s license numbers and birth dates.

In April, Texas Comptroller Susan Combs acknowledged her office made the information available by mistake. At the time, officials have said there was no evidence of misuse, though a handful of Texans have stated the contrary. There was also a criminal investigation and murmurings of possible lawsuits.

Check out the comments on the KXAN Facebook page regarding the breach.

“I deeply regret the exposure of the personal information that occurred and am angry that it happened,” Combs said. “I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location.”

Possible Political Repercussions

Combs, a Republican, is next up for re-election in 2014, but she has also expressed her interest in running for lieutenant governor next year. Some political analysts say the data breach hurt her chances of winning.

After her initial announcement, the social media strings and news reports exploded across the state, repeatedly reminding voters of the ordeal. However, it could be campaign donors who make the final decision.

Though some people have called for her resignation or firing, Combs, who was overwhelmingly elected to a second term as comptroller last year, has said she will not walk off the job.

New Security Hires

This week, in response to security concerns, Combs announced the hire of two key individuals to over see privacy and security related, in part, to such information.

Elizabeth Rogers will now serve as the agency’s first chief privacy officer. Her duties will include:

• Creating and updating privacy standards
• Performing risk reviews to identify exchanges of personally identifiable information between agencies and other entities
• Identifying new privacy risks and developing mitigation strategies
• Collaborating with chief privacy officers at the state and federal levels on privacy related

“Elizabeth has the experience, know-how and commitment to help ensure that a major data issue does not happen again here,” Combs said. “She is one of a number of new professional personnel who will come on board this summer as we develop and implement new plans and procedures.”

Rogers previously worked as director of legal and regulatory client services at Resources Global Professionals, general counsel of the State Bar of Texas, and worked for the attorney general’s office.

Combs also announced the hiring of Jesse Rivera as chief information security officer to oversee information technology security and regulations. His duties will include:

• Overseeing information technology security and risk assessment
• Directing cyber security audits and ensuring technologies are in place to reduce risks of attacks
• Working on network security architecture based on the agency’s business needs and security regulations

Rivera has served as information security officer at General Electric and Clear Channel Communications and spent nearly five years with the CIA.

“We take information security very seriously, and this type of exposure will not happen again,” Combs added, saying letters would go out to each Texan whose name was on the server.

Leaked Information

The information found its way to the public server as it was being transferred to the comptroller’s office by three other state agencies: the Texas Employees Retirement System of Texas, Teacher Retirement System of Texas and Texas Workforce Commission.

“Naturally we were very concerned we found out about this…and we are among those affected by this security lapse,” said Lisa Givens, spokesperson for the Texas Workforce Commission, shortly after the announcement of the leak.

Givens said two million Texans who filed for unemployment insurance from December 31, 2006 through December 31, 2009 could be at risk for identity theft.

She said the agencies share information with the comptroller by law to determine addresses for people who may have unclaimed property in Texas.

Agency Breakdown

• Texas Retirement System of Texas data transferred in January 2010 had records of 1.2 million education employees and retirees.
• Texas Workforce Commission data transferred in April 2010 had records of about 2 million people in their system.
• Employees Retirement System of Texas data transferred in May 2010 had records of approximately 281,000 state employees and retirees

The data files transferred by those agencies were not encrypted, even though current rules require it.

Also, the comptroller’s office failed to follow internal procedures, which led to the information being placed on the public server and remaining accessible for some time without being purged. Combs’ office said the numbers were embedded as part of a chain of numbers and not listed in separate fields.

Discovery of the Problem

The mishap was discovered March 31, which prompted the agency to seal off public access. The Attorney General’s Office is helping with an internal investigation on how the breach was able to continue and remain undetected for several months. The Attorney General’s office was notified on April 6, one week after the comptroller discovered the breach. FBI forensics detectives are assisting in the investigation.

A website put in place by Combs’ office states: “Identity thieves can use your personal information for activities such as opening credit lines or checking accounts, making purchases using your existing bank account or credit card, getting a bogus driver’s license or Social Security card, making long distance calls or applying for a job.”

Available Help

That site is in place to provide more details and recommended steps and resources for protecting identity information. This includes a free credit monitoring service with enrollment offered through July 27. There is also a section of the site to see who might be affected by the leak.

The credit monitoring was thought to possibly cost the state up to $21 million, but Combs had previously said it might be less than that.

A toll-free, 24-hour phone line will is also at 855-474-2065.