Forgot your password?
typodupeerror
Privacy Government Security The Internet Your Rights Online

Personal Info of 3.5 Million Texans Was Publicly Accessible 146

Posted by Soulskill
from the even-data-breaches-are-bigger-in-texas dept.
SpaceGhost writes "The Houston Chronicle reports, 'Personal information of about 3.5 million Texans — including names, mailing addresses and Social Security numbers — was posted on a publicly accessible server at the state comptroller's office, much of it for more than a year.' Many of the records were for retired teachers and the unemployed, and they sometimes included DOB and drivers license numbers."
This discussion has been archived. No new comments can be posted.

Personal Info of 3.5 Million Texans Was Publicly Accessible

Comments Filter:
  • So? (Score:4, Funny)

    by pclminion (145572) on Monday April 11, 2011 @05:35PM (#35786264)

    Names and addresses I can get from a phone book. SSNs are "not to be used for identification purposes." Thus, BFD.

    Place blame squarely where it belongs: lending providers and others who use the SSN as some sort of magic key to an individual's identity. All it takes is a simple law and this shit could stop next week.

    • Re:So? (Score:5, Insightful)

      by NevarMore (248971) on Monday April 11, 2011 @05:42PM (#35786348) Homepage Journal

      All it takes is a simple law and this shit could stop next week.

      Yep, because laws stop people from doing stupid and illegal things.

      • Re:So? (Score:5, Interesting)

        by pclminion (145572) on Monday April 11, 2011 @05:47PM (#35786404)

        If you make the collection of social security numbers a felony I guarantee you the banks would stop doing it. To make doubly sure, make it a civil tort so that the individual who was asked for their SSN can sue the bank. Let everyone know they can do this. It would stop instantly.

        • Re:So? (Score:5, Insightful)

          by Dachannien (617929) on Monday April 11, 2011 @05:56PM (#35786486)

          Forbidding the collection of SSNs isn't really the answer. The banking industry will just devise some other unique key that people will need to provide so that credit checks and such can be run, and then that key will become the center of risk.

          The real answer is to make this information worthless by requiring banks to actually follow up and ensure that a new credit line requestor is the person they claim to be before opening the new credit line. Currently, the banks do everything they can to prevent themselves from eating the loss, but they don't do much to prevent the loss in the first place. They push as much as possible onto merchants and individual consumers. It's worth more to them to open instant credit lines virtually anonymously than to eat the occasional loss, and until that changes, the rest of us will continue to suffer from financial predation by third-world organized criminals.

          • Stop the presses! I have a brilliant proposal!

            They can use MD5 hashes of SSNs instead! Yeah!

            For the security-conscious, all bank forms will now include a ten-page instructional booklet on how to perform an MD5 hash by hand. This will be superseded by a number of handy and free online tools provided by the Russian Business Network.
          • Re:So? (Score:4, Insightful)

            by countertrolling (1585477) on Monday April 11, 2011 @06:11PM (#35786638) Journal

            The banking industry will just devise some other unique key...

            Yeah... That's the idea. The bank, insurance, and other industries and departments are supposed to use their own unique to them ID system. Now a thief would need to break into all those different databases. IT is up to all of us to resist allowing them to use the SSN. Just say no.. The law doesn't prohibit that.

            • You obviously must live in mom's basement. If you don't give up your SS# you'll have to pay cash for everything all the time. You know, storing all your money at home and carrying large amounts of cash have some pretty big downsides, too. Not to mention there are plenty of things many of us do every day that can't be done (or can be done but at much greater expense) without a credit card.
              • by pclminion (145572)
                You can't borrow, but that also means the banks can't lend. A bank that can't lend is a dead bank.
              • They cannot legally require you give up your SSN. They can only ask. The law is already on our side. Public acquiescence is the real problem.

                • So you have bank accounts, credit cards, a mortgage, a car, and no-one knows your SS#? I call bullshit. The law "protecting" you from divulging your SS# is like US income tax being "voluntary". It's fake. You cannot have a credit card, a home, or anything else without giving up your SS# unless you're filthy rich and can pay cash for everything all the time. And you cannot decline to pay your "voluntary" income tax unless you want to lose everything and go to prison.
                  • Whatever you say..

                    So you have bank accounts, credit cards, a mortgage, a car...

                    Short answer: No.

                    Ah, one question.. Where did I mention anything about the IRS? Who doesn't already understand they can do what they damn well please? Sorry, two questions..

                    • It was cited as an example of other things that you can supposedly do but in practical reality cannot. Of course you can live without banks, cards, a home, a vehicle but who would choose that for themselves? I think it's probably safe to say the only people who live without those things have little choice.
                    • ...but who would choose that for themselves?

                      Me.. If you prefer to live neck deep in red tape, by all means...

                      I think it's probably safe to say...

                      ...that you're not a very good odds maker.

                      However, you can redeem yourself if you can call a triple crown winner this year. Place yer bets. Cash only

                    • Sorry, I don't even know what a "triple crown winner" is. I'm guessing it isn't football or yahtzee.

                      Well, you're most likely either
                      (1)dependent on someone else for your survival, or
                      (2) totally down-and-out (lots of people are, it's nothing to be ashamed of), or
                      (3)you're a redneck hillbilly whose been training for the breakdown of society sonce the civil rights movement began.
                      How close am I? :D
                    • Triple Crown - usually associated with thoroughbred horse racing. Google knows all..

                      Man, you are ice cold.

                    • Good, glad to hear it! :)
            • My point was that it doesn't do any good for the unique key to be different for each financial organization, because the key is supposed to uniquely specify the individual customer in a way that works across all financial organizations. The industry as a whole has to be able to specify the individual in order to keep track of the risk associated with that individual (e.g., credit checks). SSNs are used because they're convenient, and that's because the government issues SSNs with the intention of uniquene

              • I'm not really concerned with the problems of the industry or any difficulty they might have devising a secure system. Only that it remains their problem, not ours. If the house becomes uninhabitable, tear it down. Legally we are not required to give them our SSN, and we shouldn't. Only certain departments of the federal government is entitled to use it. We can keep it off limits to anybody else, but we have to do it. If we back down, we only have ourselves to blame.

            • by NexusTw1n (580394)

              It won't be unique to each bank though. They will simply require you to provide the ID# assigned to you by Experian.

              This ID# will effectively become the new SSN, and the problems will continue.

              Until you make data security a legal requirement punishable by prison, you are going to see leak after leak. Making the leak of personal data a criminal offence is the only way to make it cost effective to have decent security procedures in place.

            • by atisss (1661313)
              In country I live there is unique number identifying person, and it's supposed to be legally protected from storage/processing, however you can easily find it in legal documents circulating internet, or just in any legal document you have access to. This just doesn't work.
          • Re:So? (Score:5, Insightful)

            by fuzzyfuzzyfungus (1223518) on Monday April 11, 2011 @06:12PM (#35786652) Journal
            Arguably, we should be much more worried about the financial predation of first-world organized criminals: The banks and the credit rating agencies and similar such institutions are the ones who make it trivially easy to act in other people's names, in order to move their product more easily and cheaply, and then attempt to sidestep the losses from fraud by hounding the people whose names were used.

            The only predation by third-world organized criminals that occurs directly against the end user consists of 419 scams. The rest of it consists of various sorts of bank fraud that the banks aren't sufficiently motivated to take measures against; but are willing to put those whose names are used through the wringer.

            It's very clever, really: "Identity theft" makes it your problem. Admitting that it is "bank fraud" would make it their problem.
        • by corbettw (214229)

          It's so cute how you think law makers would make laws against the interest of bankers.

          • by pclminion (145572)

            It's so cute how you think law makers would make laws against the interest of bankers.

            The complete failure of our system of government is an orthogonal problem to what we're discussing here.

            If you compare the United States government to a computer program, it's basically a pile of hacks upon hacks sitting on top of a shitty core library. The hacks are there because the core is all fucked up, but just because you can make it work by adding even more hacks doesn't mean the whole thing won't fall down and co

            • by toadlife (301863)

              We need USA 2.0 at this point, written from the ground up.

              From the ground up...like Netscape 5?

              • by pclminion (145572)

                Sure, there's the second system effect to contend with, where you try to cram in all the crap you wish you'd had in version 1.0 and end up making an even bigger mess in version 2.0, but that's just an observation, not a law of nature.

                Also, by "written from the ground up" I do not mean tossing out the Constitution and starting completely from scratch. To continue the computer analogy, let's treat the Constitution like the hardware. We know it works, it's just the pile of shit built on top of it that's wrong.

                • It's an interesting idea, but the problem is most our troubles don't originate with ill-conceived or poorly-written laws -- those are just symptoms, not causes.
                • by drinkypoo (153816)

                  I'm not sure we know the constitution works correctly. Totally failing to take political parties into account was a miss. Not enough was done to ensure free trade though it was clearly intended. The interstate commerce clause is entirely open-ended. I'm not saying I'd have seen this stuff if I had been there, but let's not pretend there are not real fundamental problems with the constitution. A few more rights need to have been enumerated, at least. The founders considered that a futile exercise but given r

                  • by corbettw (214229)

                    We've had our differences in the past, but I wanted to go on record as saying I agree with all of the points you've raised in this post.

                    • by drinkypoo (153816)

                      We've had our differences in the past, but I wanted to go on record as saying I agree with all of the points you've raised in this post.

                      I like to think my heart is in the right place even if my head is totally up my ass sometimes.

        • What if Social Security Numbers + the Person's name were a Copyrighted Work? That would be the legal protection that would scare snarks!

        • Banks need SSNs so that they can report interest paid to the IRS. In fact, this is one of the few legitimate uses of the SSN.
        • by icebike (68054)

          If you make the collection of social security numbers a felony I guarantee you the banks would stop doing it.

          No, they wouldn't.

          Banks are REQUIRED [helpwithmybank.gov] to have an ssn on file these days.

          • by pclminion (145572)
            Incompatible laws lead to paradoxical consequence! News at 11! How are we to deal with this insurmountable problem? Perhaps with a change to the law.... No, that would never work.
        • by tlhIngan (30335)

          If you make the collection of social security numbers a felony I guarantee you the banks would stop doing it. To make doubly sure, make it a civil tort so that the individual who was asked for their SSN can sue the bank. Let everyone know they can do this. It would stop instantly.

          And yet we'll just need another ID code. Registered with the IRS, because financial institutions report such incomes to the IRS. Which then becomes the de-facto ID code that the entire industry uses for credit reports and other stu

      • by nedlohs (1335013)

        They stop most people for situations like that. In fact I suspect the only people they wouldn't stop are those ignorant of the law in question.

        Example law:

        * Using a SSN for *anything* except other than the adminstration of social security and the collection of taxes shall be punishable by a $42 billion fine.

        You really a bank is going to use your SSN for anything when that is law? OK then, do you really think after all the banks that did so have filed for bankruptcy due to a trillions of dollars in liability

      • by Culture20 (968837)

        All it takes is a simple law and this shit could stop next week.

        Yep, because laws stop people from doing stupid and illegal things.

        This is Texas. Laws don't stop people from doing stupid and illegal things, guns do. ergo:
        "All it takes is a simple six shooter and this shit could stop next week."

      • by jackspenn (682188)

        All it takes is a simple law and this shit could stop next week.

        From your comment I can assume that you have never actually spoken with the average state employee?

    • Now that you mention it, why don't we use some sort of web-of-trust/public key infrastructure/certificate authority-based system for establishing identity and trust?

      Or would that just have the same inconvenience and fraud that an SSN-based system has?

      • That is just what we need.

        Joe Public: What do you mean I have to pay verisign a $100 a year just to file my taxes?
        IRS Operative: You have to have your signature signed to prove who you are to us.
        JP: You don't know who I am? Can you tax me if you can't identify me?
        IRS: We can not tax you but you will be charged with tax evasion.
        JP: How can you charge me if you don't know who I am?
        IRS: Well first you will have to have your signature signed by verisign.
        JP: Where did you get such a messed up idea like t

    • BFD? Then by all means, let's see your name, address, and SSN. ;)
    • by nurb432 (527695)

      SSNs are "not to be used for identification purposes."

      You actually believe that is still the case?

    • by Solandri (704621)

      Place blame squarely where it belongs: lending providers and others who use the SSN as some sort of magic key to an individual's identity. All it takes is a simple law and this shit could stop next week.

      No it won't. Like it or not, there's a need for a unique individual identifier in the credit industry. If you can prove you pay your bills, you're less of a risk, and can get lower rates from them. A lender does not need a SSN to lend you money. It's just that all of them choose to require it and a cre

      • by pclminion (145572)

        No it won't. Like it or not, there's a need for a unique individual identifier in the credit industry. If you can prove you pay your bills, you're less of a risk, and can get lower rates from them. A lender does not need a SSN to lend you money. It's just that all of them choose to require it and a credit check to minimize their risk. If you feel this is wrong, feel free to start your own lending company which does not require SSNs nor credit checks, and tell us how that works out for you.

        "Being a lender

        • Boo hoo, cry me a river. There's enough profit incentive in lending that they'll figure something out.

          That was the next paragraph.

          If it became illegal to use SSNs for this purpose, then everyone would get lumped in the same risk pool. People who are good about paying their bills on time would see their rates and fees go up. People who are deadbeats and delinquents would see their rates and fees go down. Pretty obviously, that'd be bad for the economy as a whole.

          I agree with what he said, and really REALLY don't want to be an anonymous lender (lendee?).

    • The "not for identification" on the Social Security Card didn't mean "You may not use the Social Security Number for Identification" - it wasn't a pro-privacy imperative.

      It was simply a disclaimer that the Social Security Administration was making no promises that the card they'd handed out was of any use for identifying the person now holding it. It was a card providing information, not identification.

  • ....even their screw ups.

    How could that mistake have gone on for a year without somebody seeing it?

    • We are too busy doing our "Hold my beer and watch this" antics to be bothered with paying attention to stuff like this. /burp I live in Dallas. Hold my beer. Watch this ...
    • Re: (Score:2, Flamebait)

      by Sponge Bath (413667)

      Comptroller Susan Combs was too busy massaging reports about the financial state of Texas to help re-elect republicans based on "The Texas Miracle" (the supposed superiority of Texas financial management). Now that the election is over and the reality of a $27 billion shortfall for the next budget sinks in, I guess her office has time to look into these basic things.

      Texas: where 12 years of absolute republican rule is propelling us into Mississippi territory in state rankings for services, health care, educ

  • Better duck and cover. Typical person from Texas shoot first then ask questions later.
  • for propane and propane accessories. Maybe this will help the USPS.
  • to get the info for illegal immigration.

  • ... nothing to hide, nothing to worry? 1 2 3 That's how long it takes to be modded flamebait!
  • Dang. They *are* running the government like a business down there.

  • Names, home addresses, email addresses, and home telephone numbers are posted by default for all UCLA students (including minors) on a publicly-accessible "directory" at http://directory.ucla.edu./ [directory.ucla.edu] There are only 60,000 people associated with the university, but apparently it generates 3mm searches/mo... not surprising because it doesn't require a username or password and has only limited protection against scraping. One student was involved in the a mistaken identity case with the Rose Bowl stabbing and
    • by herojig (1625143)
      Fascinating post. Glad they had none of this nonsense when I was there...I probably would have received another ton of Domino's pizza adverts over the years in my mailbox (and I guess now my inbox).
  • "I deeply regret the exposure of the personal information that occurred and am angry that it happened," [State Comptroller] Combs said in a statement.

    [Translation] Let me put out this public statement saying absolutely nothing, but serving to CMA.

    "I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location."

    [Translation] I soiled myself, and berated my minions.

    "We take information security very se

  • As the AG and the FBI are looking into matters: "Combs has endorsed legislation enhancing information security, including a proposal that each agency designate a chief privacy officer and another to create a state Information Security Council."

    Gee Susan [state.tx.us], I think the horse has left this burning barn...unless you're looking for ways to spread the blame the next time this happens?

  • by Locke2005 (849178) on Monday April 11, 2011 @11:52PM (#35789238)
    Especially the fuckups!
  • In Sweden all this information is public for all citizens. Private organizations do however need a permit to keep a registry with personal information.

All constants are variables.

Working...