Everything's bigger in Texas, including (apparently) security breaches. The Texas comptroller's office yesterday started breach disclosure notifications (as mandated by Texas state law) to over  3 million individuals whose personally identifiable information was exposed on a website run by the comptrollers office.

Here's what is known and publicly disclosed at this point:

-  Personal data of 3.5 million Texans on unemployment, along with teachers, state workers and retirees, were left unprotected and exposed on the Internet.

- Texas Comptroller Susan Combs said the confidential data -- Social Security numbers, addresses, dates of birth, drivers license numbers, and more -- was vulnerable for about a year when it was stored on a publicly accessible server.

- A spokesperson for the Comptroller's office  "said it was human error, not a security breach, that caused the problem and that the people responsible have been fired." (News flash, many reported security breaches are caused by human error! Just because they are caused by human error does not mean they aren't security breaches.  In fact, I'd bet that the Texas data breach disclosure statute, like all other states, makes no distinction as to "how" the data was lost. We've blogged before about the topic of human error and security breaches.

- The information which was exposed was transferred to the Comptroller's office by three other state agencies. Texas statewide agency rules required that the data transferred be encrypted, which it was not. Employees in the Comptroller's office did not follow established procedures, which led to the information being publicly accessible. The individuals responsible were apparently fired.

- "The Comptroller views the protection of personal information as a serious issue. She will be working with the Legislature to advance legislation to enhance information security as outlined in the Protecting Texans’ Identities report she released in December.” …How ironic is that?

What isn't publicly disclosed yet is what sort of computer platform housed this data, and what process or policy failure led to this information being internet accessible. In theory the information could have been erroneously posted to a website, anonymous FTP server, or a collaboration platform of some sort. Or perhaps the information was exposed through a peer to peer network connection.  

The state has created a website to disseminate information on this breach: www.TXsafeguard.org

Here are some important takeaways for organizations using collaboration sites that are exposed to the internet. 

1) Most collaboration platforms, whether enterprise-based or cloud-based, make it very easy to share files. Less so to secure access to said files. Pay very close attention to what users/groups should really have access, and establish permissions and access controls to ensure that this is the case. Always remember that cloud and SaaS platform providers can access any information you put in the platform.

2) Security policies or guidelines requiring the use of technical controls (such as encryption in this case) are useless without the diligence required to ensure proper implementation and routine use.  Controls like data encryption for sensitive information work best when they are transparent (automatically invoked), and don't require users to initiate actions to protect the content. As was shown in the Texas security breach, requiring users or administrators to take manual actions to apply encryption to sensitive information is not a reliable security strategy.

3) Performing frequent scans of public facing IP ranges is essential. There's no excuse for sensitive information being exposed on publicly accessible sites for a year.

With data breach costs running to $200+ per record lost, as determined by the Ponemon Institute, acquiring and deploying effective security controls to prevent high cost security breaches (whether from insiders, external attackers, or stupid human tricks) just makes sense.

JD