The Texas General Land Office (GLO) suffered a data breach due to a software misconfiguration in its online grant system, exposing the personal information of 44,485 individuals, primarily victims of natural disasters (2015–2024) seeking state relief. The flaw allowed applicants to view others' sensitive data including names, addresses, Social Security numbers, banking details, medical records, birth dates, and identification numbers when using the system’s search function. The issue was discovered in late July 2024 by a user who reported the unauthorized access. While the GLO claims the problem was immediately resolved, the agency admits it does not know when the glitch began or the full extent of exposure. The breach follows a pattern of recurring cybersecurity failures across Texas state agencies, including prior incidents at the Texas Tech Health Science Center (1.4M records stolen) and the Texas Department of Transportation (423K records compromised). The GLO has pledged to strengthen cybersecurity measures, including stricter access controls, improved monitoring, and internal reviews. However, critics argue Texas agencies remain vulnerable to basic cybersecurity lapses, with insufficient investment in system updates and access management. The exposed data highly sensitive and tied to disaster relief poses significant risks of identity theft, financial fraud, and long-term reputational harm to affected individuals.
Source: https://www.govtech.com/security/data-breach-hit-texas-general-land-office-online-system
TPRM report: https://www.rankiteo.com/company/texas-general-land-office
"id": "tex5262152091225",
"linkid": "texas-general-land-office",
"type": "Breach",
"date": "6/2015",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '44,485',
'industry': 'public administration (disaster relief)',
'location': 'Texas, USA',
'name': 'Texas General Land Office',
'type': 'state government agency'}],
'attack_vector': 'software misconfiguration',
'data_breach': {'number_of_records_exposed': '44,485',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (includes SSNs, banking info, '
'medical records)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'financial data',
'medical data']},
'date_detected': '2024-07-31',
'date_publicly_disclosed': '2024-08',
'date_resolved': '2024-07-31',
'description': 'The Texas General Land Office exposed the personal data of '
"44,485 people due to a 'software misconfiguration' in its "
'online grant system (Texas Integrated Grant Reporting '
"system). The glitch allowed applicants to see others' private "
'information, including names, addresses, Social Security '
'numbers, identification numbers, banking information, medical '
'info, and birth dates. The issue was discovered in late July '
'2024 when a user reported the vulnerability. The affected '
'individuals were victims of natural disasters (2015–2024) '
'seeking state relief for home repairs, rebuilding, and '
'buyouts. The agency resolved the issue immediately upon '
'discovery and announced plans to strengthen cybersecurity '
'measures, including stricter access controls, improved '
'monitoring, and internal review processes.',
'impact': {'brand_reputation_impact': 'potential erosion of public trust in '
'state agencies handling disaster '
'relief',
'data_compromised': ['names',
'addresses',
'Social Security numbers',
'identification numbers',
'banking information',
'medical information',
'birth dates',
'other personal data'],
'identity_theft_risk': 'high (due to exposure of SSNs, banking '
'info, and PII)',
'legal_liabilities': 'potential lawsuits or regulatory actions '
"(e.g., Texas Attorney General's involvement)",
'operational_impact': 'temporary exposure of sensitive data; '
'immediate mitigation required',
'payment_information_risk': 'high (banking information exposed)',
'systems_affected': ['Texas Integrated Grant Reporting system']},
'investigation_status': 'resolved (mitigation completed; root cause '
'identified as misconfiguration)',
'lessons_learned': ['Need for stricter access controls and system monitoring '
'in government grant systems',
'Importance of proactive vulnerability testing to catch '
'misconfigurations',
"Criticality of 'basic cybersecurity hygiene' (e.g., "
'updates, access management) to prevent low-level '
'breaches'],
'post_incident_analysis': {'corrective_actions': ['immediate patching of the '
'vulnerability',
'implementation of stricter '
'access controls',
'enhanced monitoring and '
'logging',
'internal process reviews'],
'root_causes': ['software misconfiguration in '
'grant system',
'inadequate access controls',
'lack of proactive monitoring']},
'recommendations': ['Implement regular security audits for state-funded '
'systems',
'Enhance employee training on data protection and '
'incident reporting',
'Invest in automated tools to detect misconfigurations in '
'real-time',
"Accelerate the Texas Cyber Command's operational "
'timeline to address systemic vulnerabilities'],
'references': [{'source': 'The News Station (TNS)'},
{'date_accessed': '2024-08',
'source': "Texas Attorney General's listing of data security "
'incidents'}],
'regulatory_compliance': {'legal_actions': ['potential lawsuit by Texas '
'Attorney General (precedent set '
'with PowerSchool case)'],
'regulatory_notifications': ['reported to Texas '
"Attorney General's "
'office']},
'response': {'communication_strategy': ['public disclosure via Texas Attorney '
"General's listing",
'statement by Land Commissioner Dawn '
'Buckingham'],
'containment_measures': ['immediate resolution of the software '
'misconfiguration'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'remediation_measures': ['strengthened cybersecurity',
'stricter access controls',
'improved system monitoring and logging',
'enhanced internal review processes']},
'stakeholder_advisories': ['Statement by Land Commissioner Dawn Buckingham '
'reaffirming commitment to data protection'],
'title': 'Texas General Land Office Data Exposure Due to Software '
'Misconfiguration',
'type': ['data breach', 'unauthorized data exposure'],
'vulnerability_exploited': 'improper access controls in the Texas Integrated '
'Grant Reporting system'}