The personal information of about 3.5 million Texans -- including addresses and Social Security numbers -- was mistakenly posted on public servers controlled by the state comptroller's office and remained there in some cases for more than a year, the agency said Monday.
Texas Comptroller Susan Combs said in a statement that the data inadvertently released even included dates of birth and driver's license numbers for some people, but that there was no indication any personal data had been misused.
"I deeply regret the exposure of the personal information that occurred and am angry that it happened," Combs said.
Agency spokesman R.J. DeSilva said people who were involved in the incident were dismissed but that he couldn't say how many because of human-resource rules.
The personal data was contained within folders on a comptroller FTP site separate from its main page -- one that contained hundreds of folders, DeSilva said. Some of those folders were security-protected and could only be accessed by state agencies, while others were open to the public.
The personal information was "on a portion of the page where anyone could look," he said.
Jerry Strickland, a spokesman with the state attorney general's office, said officials had contacted the FBI to assist in a criminal investigation that began last week. Strickland said he couldn't comment on whether the information had been misused, citing the active investigation.
DeSilva said officials discovered the problem March 31 but only notified those agencies it affected Monday. He said it took several days for the agency to prepare to notify all the people involved, adding, "we had to make sure we were thorough in our analysis and preparation for this."
The information affected was in data transferred by the Teacher Retirement System of Texas, the Texas Workforce Commission, and the Employees Retirement System of Texas.
The Teacher Retirement System data was transferred in January 2010 and had records of 1.2 million education employees and retirees, while the Texas Workforce Commission had data on about 2 million individuals listed in an April 2010 information transfer. The records of about 281,000 state employees and retirees were included in an Employees Retirement System's transfer from last May.
The comptroller's office will begin issuing letters Wednesday notifying those people whose personal information was mistakenly made accessible to the public.
The personal information was included in data transfers required by state statute. However, the comptroller's office's statement said the data files transferred by those agencies were not encrypted as required by Texas administrative rules.
Also, it said, comptroller's office personnel didn't follow proper procedure and allowed the information to be placed on a server accessible to the public. It stayed on that server "for a long period of time" and wasn't discovered until March 31, when the comptroller's office began blocking public access to the files.
"I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location," Combs said. "We take information security very seriously and this type of exposure will not happen again."
One of the agencies that had data affected, the Employees Retirement System of Texas, was created in 1947 to oversee retirement benefits for state employees. Spokeswoman Mary Jane Wardlow said its executive director was called to the comptroller's office at 7:30 a.m. Monday and notified of the problem.
"ERS provided the data to the controller as required by law in the secure format that was prescribed by the comptroller and described in the interagency contract between our offices," she said.
Wardlow said her organization posted a statement on its Website explaining what occurred to members and retirees, and was prepared for a high number of calls of people worried about their personal information being made public. She said she did not know if there had been a greater number of calls than usual Monday.
The divulging of personal information was ironic because Combs has fought to keep state employees' birth dates private, arguing that releasing them could lead to identity theft.
In December, the Texas Supreme Court ruled that the dates of birth of about 145,000 state employees are protected from disclosure because their release would be a "clearly unwarranted invasion of personal privacy." That decision came after Combs appealed a case that began in 2005, when The Dallas Morning News requested an updated state payroll database. Then-Comptroller Carole Keeton Strayhorn released most of it, but excluded birth dates, offering to list workers' ages instead.
The newspaper said it needed the birth dates to distinguish workers with the same name, and Combs appealed the case to the Supreme Court, clearing the way for the ruling.