[BreachExchange] 1.25 Million Records Exposed in Employees Retirement System of Texas Data Breach

Destry Winant destry at riskbasedsecurity.com
Mon Oct 29 02:58:24 EDT 2018


The Employees Retirement System of Texas (ERS) has discovered a flaw
in its ERS OnLine portal allowed certain individuals to view
information of other members after logging into the portal.

ERS explained that a coding error, introduced on January 1, 2018,
affected the “Annual Out-of-Pocket Premium” function of its ERS OnLine
system. The function is used by some retirees, direct-pay members,
employees on leave without pay and COBRA participants. The function
“allows participants who pay their Texas Employees Group Benefits
Program (GBP) premiums with after-tax dollars to see their own premium
payment information.” However, the flaw meant that certain ERS members
were displayed information about other members and in some cases,
certain beneficiaries – if those beneficiaries had received some form
of payment from ERS and had information in the ERS OnLine system.

ERS notes that the coding error only returned other members’
information when individuals performed a modified search via the
affected function and therefore it is “very unlikely” than most
members information was accessed by other members. Since the function
could only be used after logging in, and was only available to a
limited group of individuals, the breach was limited in scale.
Information was not exposed to the public at any point and its system
was not hacked.

As a result of the error, the following information could potentially
have been disclosed to other individuals: First and last names, Social
Security numbers, and ERS member identification numbers (EmplIDs).

The security issue was discovered by ERS on August 17, 2018 when an
ERS member raised the alert after a modified search returned the
names, ERS ID numbers, and Social Security numbers of 50 other
members. ERS immediately shut down the ERS OnLine system while the
flaw was identified and corrected. The system was brought back online
rapidly with the flawed search function disabled. ERS notes that the
50 members whose information was accessed were notified promptly.

ERS conducted a thorough investigation of the issue to determine if
any other functions were affected, with assistance provided by
third-party experts. ERS reports that the flaw was limited to the
single function. Further controls on code design and code reviews have
now been implemented to prevent any similar errors from resulting in
the exposure of sensitive information in the future.

All affected members have been notified by mail and have been
automatically enrolled in identity restoration services through
Experian, which will be provided for one year without charge.

The security incident has now been reported to the Department of
Health and Human Services’ Office for Civil Rights. The breach summary
indicates up to 1,248,263 individuals have potentially been affected
by the breach.

More information about the BreachExchange mailing list