Worker Data Was On Web

February 17, 2007

By Colin Poitras, Courant Staff Writer,0,7667978.story?coll=hc-headlines-politics-state

Personal information for hundreds of state employees - including their names and Social Security numbers - was inadvertently posted on the Internet, the state comptroller's office said Friday.

Officials said they believe the risk of identity theft is low, though the information had been on a state website for more than three years. The problem was discovered in January, and the 1,753 employees affected were informed of the mistake in letters mailed Feb. 8, officials said.

The personal information was included in a spreadsheet of vendors used by the state that was accessible to the public on the state Department of Administrative Services website, according to Steven Jensen, a spokesman for state Comptroller Nancy S. Wyman's office.

Because of privacy concerns, Jensen declined to identify the particular group of employees affected or say why they were selected from among the state's approximately 55,000 employees. But he said the state sometimes sets up special payroll deduction files for workers and in those cases those individuals are identified as "vendors" under certain pay codes. Such a qualifier might inadvertently place someone on a state vendor spreadsheet, he said.

Officials believe the information was on the website since October 2003. But officials were not alerted to the problem until last month when a state employee searching his name on the site noticed the information and made a call, Jensen said.

According to the letter sent to employees from the comptroller's office, the spreadsheet was accessible to the public only when a specific name on it was searched. There was no menu or published link available where individuals could simply click on a title and open it.

The Social Security numbers were displayed without hyphens and each had a numerical suffix attached, making them not easily recognizable, the letter said.

The file was removed from the site and then "scrubbed" clean by information technology specialists to be certain it could no longer be accessed, Jensen said.

Jensen said he had received 57 calls by Friday from employees inquiring about the situation.

"The majority of people have been very understanding of the situation," he said.

As a precaution, the comptroller's office has advised the employees to monitor their personal financial records for the next few months and to contact a major credit reporting company to check the status of their personal credit.

"With all the attention that has been given to similar losses of data at the Veterans Administration and at banks and universities, I would have thought somebody would have been a lot more careful with that information," said Ken Clair, a state employee who received one of the letters.

Clair said he was concerned that he did not learn about the problem until he got the letter a few weeks ago. He thought officials would have moved more quickly once they realized the mistake and not waited several weeks to send out a letter.

Jensen said he believed this was the first time personal state employee information had been posted inadvertently on the Internet.

main page ATTRITION feedback