Breach Exposes Personal Data, Including Social Security Numbers, of 1.8 Million Texans

Blogtrepreneur, CC BY 2.0, via Wikimedia Commons
Data from as far bask as 2006 could have been affected, according to the Texas Department of Insurance.
It's relatively easy to find a person’s phone number, email and address online. But if you’re a criminal looking for Social Security numbers, it can be more challenging.

That is, unless you caught on to the fact that the Texas Department of Insurance (TDI) accidentally made all of that information available to anyone who wanted to see it for nearly three years.

An audit of the department found it accidentally exposed the personal information of some 1.8 million workers who had filed compensation claims. The personal data included dates of birth, emails, addresses, phone numbers and Social Security numbers. All of this information was available publicly from March 2019 to January 2022.

In March this year, the department put out a public notice after its audit was complete, acknowledging the data breach. The audit was released last week.

On Jan. 4, 2022, the TDI "became aware of a security issue with a TDI web application that manages workers’ compensation information,” the department said in the March notice. “TDI immediately took the application offline, quickly fixed the issue, and started an investigation to determine the nature and scope of the event.”

The department said it will be sending letters to people who filed workers’ compensation claims in the nearly three-year period. The letters will have instructions for enrolling in credit monitoring service at no cost to them. If you don’t get a letter but have filed a workers compensation claim since 2006, the department said you may still be eligible for the free credit monitoring.

Ben Gonzalez, a spokesperson for the Texas Department of Insurance, said its investigation into the data breach included identifying whose information was viewed by people outside the department. “To date, we are not aware of any misuse of the information," Gonzalez said in a statement Tuesday afternoon.

But the department is also providing 12 months of identity protection services for those affected. This includes fraud consultation and identity theft restoration.

The cause was apparently a glitch in the programming code in the department's web application. The site everyone had access to for nearly three years was meant to be stored in a protected part of the online application.

The coding glitch allowed everyone to access this protected part of the application. Once the department found out about the glitch, it took the application offline until the information was made private. Gonzalez said their investigation was not prompted by the state’s audit, which began last fall.

“If a bad actor found this exposed information it would indeed be the jackpot.” – Tobin Shea, MindWise Cybersecurity & Fraud Prevention

tweet this
“TDI identified the web application issue in January 2022 and, after correcting the code issue, reported it publicly, including issuing letters to potentially affected individuals, posting notice on our website, and issuing a news release,” Gonzalez explained. “The March 24 notice TDI sent to the media and consumers was not dependent on or initiated by the [State Auditor’s Office] audit, nor was the timing of that notice related to the [State Auditor’s Office] audit or report."

Gonzalez said the auditor’s office was working on its audit while the department was investigating the breach and was in the process of preparing notices.

Tobin Shea, CEO of MindWise Cybersecurity & Fraud Prevention, told the Observer the breach appeared “preventable.”

“From the information I was able to find, this appears to be a very elementary level mistake when configuring access permissions that should have been caught by a senior developer or cybersecurity team member when the web application was published,” Shea said. “Even if it slipped past the development team, an application dealing with such a high volume of confidential, personal information should have undergone regular security testing and audits that would have exposed this issue.”

Shea added, “If a bad actor found this exposed information, it would indeed be the jackpot.”

On some level, obtaining this kind of information is easy because so much of it is sold on the dark web every single year, Shea said.

“The other factor in this equation is how the dark web obtains this information to sell in the first place,” Shea said. Usually, the information gets out after a deliberate hack, but some may be looking for accidental breaches.

“Since there are billions of websites on the internet, it would be nearly impossible for a hacker to quickly scan through all of them and check for compromised information,” Shea said.

“Instead, companies that are known to have a lot of secure information in their databases are chosen as objectives, but opportunistic attacks taking advantage of accidentally unsecured information like this situation with the Texas Department of Insurance (TDI) are still widespread," Shea added. "It is imperative that every organization takes cybersecurity very seriously since it's impossible to know who a hacker's next target may be.”