A “data security event” in the Texas Department of Insurance resulted in a data leak impacting approximately 1.8 million people.
The Texas Department of Insurance, aka TDI, revealed that the “data security event” happened on March 24. However, security researchers had noticed that Texas’ Attorney General’s office reported the incident on April 4.
The leaked information revealed numerous essential data such as names, home addresses, mobile & phone numbers, date of birth, partial security numbers, and complete social security numbers. In addition, information regarding injuries and worker compensation claims was included by the company in the data leak incident.
The Texas Department of Insurance has been extremely strict with the details of the incident. Still, it involves a breach caused by an unwanted entity or a third-party threat actor. Based on the insurance department’s brief description, they have discovered a critical flaw in their systems that can expose user data in one of its web apps.
TDI then advised the affected people that they are aware of the current situation that involves one of its web applications and is currently resolving the issue. The department’s compromised app is used to work on the workers’ compensation details.
The Department of Insurance insisted that the data leak was due to a programming code issue and not caused by a security breach.
The affected organisation stated that they had found the issue and the data leak was due to a programming code that enabled internet access to a protected area of their web application.
They stated that the application was momentarily disabled after their team spotted the security vulnerability. As of now, the web application is back online after the organisation repaired the flaw.
It is still unclear how much time the exposed data stayed online. Still, the Texas Department of Insurance claimed that a forensic company scoured the internet for the leaked data, and it did not find any evidence of misuse.
Nevertheless, TDI has offered the affected individuals free credit monitoring and identity theft protection services for a year. Additionally, the department notifies the individuals who created new compensation claims between March 2019 and January.