Texas Security Gaffe Dwarfs Epsilon Data Breach
I hate to minimize the data breach at Epsilon, a service company that sends out 40 billion emails a year for its corporate customers and got cracked by a group that stole data that could equal millions of consumer email addresses.
Big customers whose data was taken included Citibank, Disney, Hilton, JP Morgan Chase, Target, Tivo, Barclays Bank.
It's hard to be more high profile than that, even if you're the kind of company the actual customers are never supposed to see.
Texas did it bigger, though. A lot bigger.
The unencrypted personal records of 3.5 million Texans were exposed for more than a year after they were copied onto a server accessible by the public over the web.
The problem was discovered by staffers from the office of State Comptroller Susan Combs, who were doing a routine security scan and found records that not only should not have been on a public server, but should have been encrypted as required by Texas state law.
The records, from two Texas-state employee retirement systems and the Texas Workforce Commission, included not only email addresses, but snail mail, Social Security numbers and possibly dates of birth and drivers' license numbers.
Security analyst Larry Ponemon estimates every lost customer record costs a company $214. Most of the data breaches in Corporate America are the result of phishing or cracks that are very short term. Breaches are usually discovered relatively quickly and the particular security hole is closed.
Lost data is often, as with Epsilon, only partial - emails, street addresses or whatever.
Putting full employment and retirement records on a public server, with all the relevant data an identity thief would need to clone and reuse you, and leaving them there for a year?
Texas wins this one hands down over Epsilon. (Although, serendipitously, Epsilon is based in Irving, Texas,
There's no evidence, according to Combs' office, that the data have yet been misused by identity thieves.
Which leaves me wondering whether it's worse that Texas left all that data out in the open for so long, or that, apparently, no one in a position to steal it either knew or cared.