Texas Comptroller Susan Combs takes responsibility for largest personal information breach in Texas

Texas Comptroller Susan Combs has announced a series of additional actions her office is taking to address the unauthorized posting of certain personal information on one of the agency’s file transfer servers. The security breach that took place two weeks ago, led to the breach of sensitive data of 3.5 million people in Texas.

“I am deeply sorry this incident occurred and I take full responsibility for it,” Combs said. “This incident has affected the lives of Texans that I have dedicated my life to serving, and I am determined to restore their faith in the Comptroller’s office. That’s why we are taking additional actions to assist those who were affected and implementing new policies and procedures to help ensure this never happens again.”

The additional measures being taken to assist those affected by the incident include:

• Beginning at 7 a.m., April 29, 2011, one year of credit monitoring and Internet surveillance offered at no charge to those affected by the unauthorized posting of their personal information; and
• Identity restoration services for enrollees whose personal information is misused as a result of the data posting, paid for by Combs’ campaign fund.

The free credit monitoring service, provided through CSIdentity, alerts subscribers to certain activity associated with their credit files, such as credit inquiries, or account openings, closings or delinquencies. Subscribers will also receive CSIdentity’s Internet surveillance service, which monitors chat rooms and websites for personal information.

In a separate service paid for by Combs’ campaign fund, CSIdentity will provide identity restoration services to anyone whose personal information is misused as a result of the data posting. To qualify for this offer, individuals must be enrolled in CSIdentity’s free credit monitoring service offered to those affected. There is no indication that anyone’s personal information has been misused in connection with this incident.

Some people whose personal information was affected may have already signed up for discounted credit monitoring and identity protection services offered by several service providers through the Comptroller’s office. Those companies have cancellation and refund policies, and individuals who signed up can contact the companies if they wish to cancel.

U.S. Social Security Administration sells off sensitive data of 36,000 people

The U.S. Social Security Administration has published the names, birth dates, and Social Security numbers of more than 36,000 living people who mistakenly ended up in its Death Master File, which collects names of recently deceased individuals and is sold to the public.

From May 2007 through April 2010, SSA’s publication of the DMF (Death Master File) resulted in the breach of personally identifiable information for as many as 36,657 additional living individuals erroneously listed as deceased on the DMF.  SSA made these individuals’ SSNs; first, middle, and last names; date of birth; and State and ZIP codes of last known residences available to users of the DMF before learning they were not actually deceased.

A report issued by the SSA’s Office of the Inspector General explained the irregularities in SSA that led to the breach. According to the report:

SSA did not implement a risk-based approach for distributing DMF information, attempt to limit the amount of information included on the DMF version sold to the public, or explore alternatives to inclusion of individuals’ full Social Security number (SSN). SSA continued to publish the DMF with the knowledge its contents included the PII of living number holders. As such, we believe SSA should take additional precautions to limit the number of reporting errors and the amount of personal information published in the DMF—particularly the version sold to the public. We made two recommendations for corrective action.  The Agency disagreed with both recommendations.

This is the second big breach reported due to negligence of the U.S. authorities after the State of Texas exposed PII of over 3.5 million people.

One third organisations on the verge of a data breach

Just four months into 2011 and we’ve already seen some of the largest data breaches ever, be it the Epislon data breach or Texas breach. This however, doesn’t seem to be an end to data breaches. Large number of enterprises across the world are the brink of a data breach, according to a report from Courion Corporation. The survey report unearths the level of understanding enterprises have regarding IT risk management and user access.

The global survey of more than 1,250 IT decision makers at large enterprises found that one third (33 percent) of respondents do not believe their organizations have an accurate assessment of the level of IT risk they face from internal and external threats. This lack of confidence in risk assessment is warranted for two reasons. First, nearly one in four companies (23 percent) indicated that they do not have a formal IT risk management program in place. Second, a large percentage of businesses do not routinely review user access rights to data. More than 90 percent of respondents said that identification of user access is a core component of their IT risk management strategy, yet 60 percent said they only review individual user access or entitlements once a year or less frequently, with 45 percent saying they do not certify user access to high-risk applications on a regular basis. All of this creates serious data breach risks from excessive user rights, access creep (an accumulation of access credentials as an employee transitions through different positions within a company), and inappropriate access by privileged users within the organization. Many organizations discover alarming facts when they conduct user access reviews:

• Nearly half (48 percent) of companies have discovered excessive user rights within their systems;

• 39 percent of respondents say they have identified instances of inappropriate access by privileged users within their organizations;

• 56 percent say they found cases where access was still active for a user’s prior role.

“The results of this survey indicate that there is still widespread misunderstanding of the impact user access reviews have on enterprise IT risk,” said Kurt Johnson, vice president of strategy and corporate development for Courion. “No company wants to suffer the brand damage and liability caused by data breaches. The first step in preventing this is to establish a risk management strategy, and make user access reviews a key part of that process. Too often, an organization’s most highly sensitive data is easily accessible by numerous individuals who do not require access in the first place.”

Sensitive data of 3.5 million people exposed by Texas

Susan Combs, Comptroller for the state of Texas has announced a massive data leak that resulted in 3.5 million peoples social security numbers, names, addresses and in some cases their birth date and drivers license number being exposed.

Unlike private companies who have had large releases of PII (Personally Identifiable Information) recently, the state of Texas is not providing credit monitoring or other services for the victims of their mistake. They are simply providing sage advice…

The Comptroller’s office discovered on the afternoon of March 31st, 2011 that they had inadvertently placed the private information of the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS) on an internet accessible server.

The data was not encrypted, which is a breach of policy, as well and having bypassed several other policy rules within the state designed to protect people’s PII.

While most organisations deploy encryption on the company laptops, they often ignore servers and databases where they storage critical data as they think it is safe as the servers hide behind a firewall. Which, evidently hasn’t been sufficient to safeguard data.

As we saw with Epsilon and many others before is that sensitive data must be protected regardless of the media or location it is stored.