Here we go again, another security breach, this time affecting millions of Texans. On April 11 the Texas Comptroller’s Office reported that the personal information of some 3.5 million Texans, including Social Security numbers, names and mailing addresses, was left unsecured and fully accessible from the Internet for about one year before being detected.

The unsecured information consisted of 1.2 million records from the Texas Retirement System, 2 million from the Texas Workforce Commission and 281,000 from the Employees Retirement System of Texas. If you’re curious like me, you’re probably wondering how this happened and how we are affected.
 
How do breaches like this happen?  I’d like to think the only way this could happen is that a crack team of highly sophisticated hackers, perhaps funded by rogue nations, identified and exploited a previously unknown vulnerability for the purpose of nefarious activity. But no, it was just like 99.9 percent of all the other reported breaches throughout the world — someone wasn’t doing their job.This data could have been fully protected by configuring a few simple access controls that were already built into the application or system.The responsible parties either didn’t know the value of the data or how to protect it, or they just didn’t care. 
 
How can you find out if your personally identifiable information was exposed? The Texas Comptroller’s Office started mailing letters to the individuals affected by the breach on April 15. If you haven’t received one yet, there is a good chance you weren’t affected. But to be sure, you can visit the web site for more information, or call 1-855-474-2065 to determine if your personally identifiable information was exposed as part of the breach.
 
What is the take away from this article?  Understand what confidential information is and how to protect it. Always protect confidential information from unauthorized access and disclosure. If you are unsure whether the data you’re working with is confidential or not, treat it as if it were confidential. If you don’t know how to protect it, ask someone who does, or call the UTMB Office of Information Security at ext.2-3838.
 
In closing, if you’re wondering what the cost of this data breach is to date:
 
Notifications: $1,200,000
Call center: $393,000
Security review $290,000
 
Now, throw in credit monitoring for the affected individuals, a lawsuit or two, four fired employees, and loss of public trust — grand total: SUBSTANTIAL!
 
Remember Sec-U-R-IT-y