By WILL WEISSERT, Associated Press
SAN ANTONIO, Texas — The personal information of about 3.5 million Texans — including addresses and Social Security numbers — was mistakenly posted on public servers controlled by the state comptroller's office and remained there for nearly a year or more before officials discovered the problem, the agency said Monday.
Texas Comptroller Susan Combs said that in some cases, the data inadvertently released included birthdates and driver's license numbers. There was no indication any personal data had been misused.
"I deeply regret the exposure of the personal information that occurred and am angry that it happened," Combs said in a statement.
Calls to her office seeking further comment were not immediately returned.
The information affected was in data transferred by the Teacher Retirement System of Texas, the Texas Workforce Commission, and the Employees Retirement System of Texas.
The Teacher Retirement System data was transferred in January 2010 and had records of 1.2 million education employees and retirees, while the Texas Workforce Commission had data on about 2 million individuals listed in an April 2010 information transfer. The records of about 281,000 state employees and retirees were included in an Employees Retirement System's transfer from last May, according to the statement.
The comptroller's office said it will begin issuing letters Wednesday notifying those people affected.
The personal information was included in data transfers required by state statute. However, the statement said the data files transferred by those agencies were not encrypted as required by Texas administrative rules.
Also, it said, comptroller's office personnel allowed exposure of that data by not following proper procedure and allowing the information to be placed on a server accessible to the public. It stayed on that server "for a long period of time" and wasn't discovered until March 31, when the comptroller's office began blocking public access to the files, the statement said.
"I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location," Combs said. "We take information security very seriously and this type of exposure will not happen again."