According to Texas State Comptroller Susan Combs, the data wasn’t exposed by a hacker or a group of vigilante scriptkiddies—it ended up on a state-controlled public server after having been passed around between various state agencies. The data came from the Teacher Retirement System of Texas, the Texas Workforce Commission, and the Employees Retirement System of Texas, all of whom transferred the unencrypted data (against state policy) between January and May of 2010. The information was only discovered on the public server on March 31, 2011, meaning it has been available for almost a year.
So far, the state says there’s no indication that the data was misused, but that doesn’t mean it hasn’t or won’t be sometime in the future. In addition to the aforementioned personal information, Combs said that other data, like date of birth and driver’s license numbers had been exposed “to varying degrees.” Additionally, “all the numbers were embedded in a chain of numbers and not in separate fields”—good if only lazy “hackers” accessed the file, but bad because it ensures that the appropriate data is matched with other data from the same person.
I’m wondering which employees had access to the data, and which had access to the public server, and what sort of processes were violated which resulted in this data being published to the Internet at large.