AUSTIN -- The Texas attorney general's office and the FBI have launched a criminal investigation into an information breach at the state comptroller's office that publicly exposed the Social Security numbers and other personal data of about 3.5 million Texans for about a year, officials said Monday.
The information was placed on a computer server at the comptroller's office that was accessible to the public, the agency acknowledged. Department officials removed the data after discovering the mistake less than two weeks ago.
The officials responsible for the mistake were fired Monday morning, a spokesman for state Comptroller Susan Combs said. He declined to say how many were involved.
The information was in data transferred by the Teacher Retirement System of Texas, the Employees Retirement System of Texas and the Texas Workforce Commission. The people primarily affected are current and retired state employees and jobless workers receiving unemployment benefits, officials said.
Information from 21 million Texans in the Department of Public Safety database, including virtually everyone who has a driver's license, was also given to the comptroller's office, said Allen Spelce, a spokesman for Combs. But Spelce and DPS spokeswoman Tela Mange said that that material was encrypted and was not compromised.
"I deeply regret the exposure of the personal information that occurred and am angry that it happened," said Combs, the state's chief financial officer. "I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location.
"We take information security very seriously, and this type of exposure will not happen again."
There has been no indication that the personal information was misused, Combs said.
Attorney General Greg Abbott's office is working with the FBI in a criminal investigation, spokesman Jerry Strickland said. He declined to discuss specifics about the inquiry.
"Certainly we're going into this with eyes wide open and are not narrowing down any possibilities at this time," Strickland said. "The direction of our investigation will be dictated by the evidence."
Spelce said the breach appeared to be the largest-ever erroneous release of data by a state agency.
The records included the names and mailing addresses of individuals, as well as Social Security numbers. To varying degrees, the released material contained personal information such as birth dates or driver's license numbers. But Spelce pointed out that the data was "a continuous string of numbers" and did not designate specific categories.
The Teacher Retirement System data transferred in January 2010 had records of 1.2 million education employees and retirees, the comptroller's office said in a press release. The Texas Workforce Commission data transferred in April 2010 had records of about 2 million individuals. The Employees Retirement System data transferred in May 2010 had records of about 281,000 state employees and retirees.
The comptroller's office had requested the information for internal use in determining the owners of $2 billion in unclaimed property across the state. Spelce said that only the DPS followed correct procedure in sending the information in encrypted form, but officials of the three agencies said they followed proper security requirements.
Technicians at the workforce commission conducted several test runs to check for security before making the transfer, spokeswoman Lisa Givens said.
Spelce said the material was on a site that stored large amounts of information.
"You would have had to have knowledge about the site, but anybody in the public could have looked at it," Spelce said.
Comptroller's officials said they discovered the error during a security scan March 31. The department then sealed off public access to the files.
Comptroller's officials conducted an inquiry before disclosing the error to the public, Spelce said. The department also asked the attorney general's office to investigate, and conducted a "full internal review to ensure this type of thing will never happen again."
Dave Montgomery is the Star-Telegram's Austin bureau chief. 512-476-4294