Nearly 85,000 state employees in North Carolina had their information mistakenly uploaded to an internal portal.
The N.C. Department of Information Technology and the Office of State Human Resources said in a news release Thursday that a file containing the names, Social Security numbers and employment information of the 84,860 employees was uploaded to an internal website that is accessible to other state employees.
It was found on July 30 during a “sweep for personally identifiable information on the state’s network” and was immediately removed, the news release said. The file had been accessible since May 14, 2020, according to a letter notifying current and former employees whose information was included in the file.
The public did not have access to the file, and there is no evidence that it was accessed by anyone besides the employees who identified and fixed the issue, the state said.
But the letter said the “chance that the file was improperly accessed” can’t be ruled out.
“The intranet portal is accessible only if employees authenticate using the username and password that they use for work,” the letter said. “Although we have no evidence that anyone accessed the information outside of those involved in the state identification and remediation efforts, the file was potentially accessible to the 65,000 state employees who had authenticated access to that intranet site.”
Employees who were affected will be given free identify theft resolution services for two years, the release said. The letter notifying them of the situation also includes steps to protect themselves and contact information for “major consumer reporting agencies” where they can get more information on preventing identity theft.
Those steps include reviewing account statements, monitoring credit, requesting fraud alerts from credit bureaus, considering a security freeze and watching out for fake credit monitoring services, the letter says.
The letter said more information will be shared on how to enroll in the free identity theft resolution services once the state selects a vendor.
“In addition, NCDIT and OSHR have implemented new security procedures to protect employees’ personal data, including more comprehensive sweeps like the one that found the file and additional cybersecurity training will be assigned,” the news release says.
No other information other than the employees’ names, Social Security numbers, the agency they work for, their position classification and title were included in the file, the letter says.
“We want to offer our deep and sincere apology that, in this instance, your personal information was not properly secured. As an employer and as your government, we must do better,” the letter said. “We will continue to work to better safeguard your data and prevent future security issues.”