The Employees Retirement System of Texas (ERS) has discovered a flaw in its ERS OnLine portal which allowed some users to view other members’ details upon logging into the portal. Up to 1.25 million records may have been exposed as a result of the error.
ERS, a public pension fund with over $21 billion in assets under management, has explained that an error in the website’s code affected the “Annual Out-of-Pocket Premium” function of its ERS OnLine system. The erroneous code was introduced to the website on introduced January 1, 2018. The “Annual Out-of-Pocket Premium” function is used by some retirees, direct-pay members, employees on leave without pay and COBRA participants. The function “allows participants who pay their Texas Employees Group Benefits Program (GBP) premiums with after-tax dollars to see their own premium payment information.”
The flaw in the portal meant that upon logging into the system, certain ERS members were shown information about other members using the system. In some cases, members were shown the information of some beneficiaries if they had received some form of payment from ERS and had information stored in the ERS OnLine system.
ERS notes that the coding error only returned other members’ information when individuals performed a modified search via the affected function. The organisation said that it is “very unlikely” that many of its members had their information accessed by other members. Since the function could only be used after logging in, and was only available to a limited group of individuals, the breach was limited in scale. At no point was any of the information publicly available, and the system was not hacked or victim to any other type of cyberattack.
As a result of the error, the information that could be accessed by unauthorised individuals includes: First and last names, Social Security numbers, and ERS member identification numbers (EmplIDs). There is no evidence that any of the information that may have been seen by other user’s has been used maliciously or for personal gain.
An ERS member discovered the breach when they performed a modified search on the portal on August 17, 2018. The member said that the search returned the names, ERS ID numbers, and Social Security numbers of 50 other members. ERS immediately shut down the ERS OnLine system while the flaw was identified and corrected. The system was brought back online rapidly with the flawed search function disabled. ERS said that the 50 members whose information was accessed were quickly identified and notified of the error.
ERS conducted a thorough investigation of the issue to determine if any other functions were affected. Third-party cybersecurity experts were contracted to assist with the investigation and assess the scope of the breach. ERS reports that the flaw was limited to the single function. Further controls on code design and code reviews have now been implemented to prevent any similar errors from resulting in the exposure of sensitive information in the future.
All affected members have been notified by mail in accordance with HIPAA’s Breach Notification Rule. ERS has offered to enrol the affected members in identity restoration services through Experian, which will be provided for one year without charge.
The security incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates up to 1,248,263 individuals have potentially been affected by the breach-the number of people using ERS’s online portal. However, it is unclear how many members have actually had their data displayed to an unauthorised individual through the modified search function.