AUSTIN -- State Comptroller Susan Combs issued a public apology Thursday for an information breach that exposed the personal records of 3.5 million Texans and said her office will offer a year of free credit monitoring to those affected.
"I am really sorry this happened," the state's chief financial officer told the Star-Telegram. "It's our fault. It doesn't matter what anybody else did. We sent some stuff to a server that we should not have done, and it is our responsibility. We did it wrong."
The agency acknowledged the breach on April 11, saying Social Security numbers and other personal data were parked on a publicly accessible computer server for about a year.
Officials discovered the mistake in late March.
The information was in data transferred by the Teacher Retirement System of Texas, the Employees Retirement System of Texas and the Texas Workforce Commission.
Those primarily affected are current and retired state employees and jobless workers receiving unemployment benefits.
Combs held a series of telephone interviews with major Texas newspapers Thursday to claim personal responsibility and to discuss steps that her office is taking to prevent a recurrence.
"I take data security very, very seriously, and I know there are a lot of folks in Texas who feel uneasy," said Combs, a Republican in her second four-year term as comptroller.
"I'm very, very sorry and I hope the things we're doing will make them feel better."
Those affected have been notified by mail.
People who don't receive letters but think they might be affected can check a new website, txsafeguard.org, or call a toll-free number, 855-474-2065.
Beginning at 7 a.m. today, one year of credit monitoring and Internet surveillance will be offered to those affected at no charge through CSIdentity Corp., an Austin firm that detects identity theft and Internet fraud.
The agency is also offering identity restoration for those whose personal information is misused.
Combs said Thursday that her office has received no evidence of misuse.
The state's cost for credit monitoring will be $6 per person -- as much as $21 million if all of those affected sign up.
Combs spokesman Allen Spelce, citing industry standards, said about 10 percent typically participate.
The state also plans to spend $30,000 to $40,000 for a software program that will provide automatic alerts on the transfer of sensitive personal information within the agency.
The cost of the identity restoration services will be financed by Combs' campaign fund, the agency said.
Other steps include a staff reorganization to strengthen information security, the appointment of a chief privacy officer and the use of a new file transfer system with enhanced encryption.
"You have to have the right personnel inside the agency aware of the need for security, and you have to train them as well," Combs said.
Joe Ross, president and co-founder of CSIdentity, said clients who participate in the monitoring will be alerted to any activity on their credit files, such as credit card inquiries or account openings.
The Internet surveillance program is designed to patrol for identity thieves who use the "dark side of the Internet," such as underground chat rooms, to trade in stolen personal data, Ross said.
Ross said the company is on a list of vendors approved by the state's Department of Information Services and has performed work for the Teacher Retirement System and the Employees Retirement System.
The Texas attorney general's office and the FBI are conducting a criminal investigation into the information breach.
The officials responsible for the mistake have been fired, agency officials have said.
Dave Montgomery is the Star-Telegram's Austin bureau chief. 512-476-4294