Sign-up for email updates


Frequently Asked Questions

Incident Response Questions and Answers

General Identity Theft Questions and Answers



Incident Response

What personal information was involved?

The files that were inadvertently posted on one of the agency’s file transfer servers contained certain personal information of about 3.5 million people, including names, addresses and Social Security numbers.

Back to Top

If my name appeared on more than one of the inadvertently posted data files, does that mean that my personal information is at a higher risk? (Updated 4/28/11)

There is no indication that your information is at a higher risk or that the affected personal information has been misused. We are notifying people so they can take precautions they feel necessary.

Back to Top

What can I do now if I was affected? (Updated 7/28/11)

  1. STEP 1:Explore credit monitoring services.
  2. STEP 2: Consider placing a fraud alert on your credit file.

    In addition to signing up for credit monitoring, affected individuals can request to have a free, 90-day fraud alert placed on their credit files by contacting any one of the three major national credit bureaus. This typically takes less than five minutes.

    You can renew the free fraud alert every 90 days.

    You can have an extended fraud alert (for seven years) placed on your credit report if you’ve been a victim of identity theft and you provide the consumer reporting agency with an Identity Theft Report.

  3. STEP 3: Order your free credit report.

    You are entitled under U.S. law to one free credit report annually from each of the three national credit bureaus. To order your free credit report, visit AnnualCreditReport.com, call toll free at (877) 322-8228 or complete the Annual Credit Report Request Form (PDF, 41K) on the U.S. Federal Trade Commission’s website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus provide free annual credit reports only through the website, toll-free number or request form.

    When you receive your credit report, review it carefully. Look for accounts you did not open. Look in the “inquiries” section for names of creditors from whom you haven’t requested credit. Some companies bill under names other than their store or commercial names. The credit bureau will be able to tell you when that is the case. Look in the “personal information” section for any inaccuracies in your information (such as home address and Social Security number). If you see anything you do not understand, call the credit bureau at the telephone number on the report. Errors in this information may be a warning sign of possible identity theft.

    You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected. If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing. If you find that any accounts have been tampered with or opened fraudulently, close them immediately

    To ensure that you do not become responsible for any debts or charges, use the ID Theft Affidavit Form (PDF, 106K) to help make your case with creditors.

  4. STEP 4: Consider placing a security freeze on your credit file.

    You may wish to place a “security freeze” (also known as a “credit freeze”) on your credit file. A security freeze is designed to prevent potential creditors from accessing your credit file at the credit bureaus without your consent. There may be fees for placing, lifting and/or removing a security freeze. Unlike a fraud alert, you must place a security freeze on your credit file at each credit bureau individually. Since the instructions for establishing a security freeze and fees vary among the credit bureaus, please contact the three national credit bureaus to find out more information.

    • Equifax
      Place a security freeze by calling 1-877-478-7625.
    • Experian
      Place a security freeze by calling 1-888-397-3742.
    • TransUnion
      Place a security freeze by calling 1-888-909-8872.

    The credit bureaus may require proper identification prior to honoring your request. For example, you may be asked to provide:

    • your full name with middle initial and generation (such as Jr., Sr., II, III)
    • your Social Security number
    • your date of birth
    • proof of your current residential address (such as a current utility bill)
    • addresses where you have lived over the past five years
    • a legible copy of a government-issued identification card (such as a state driver's license or military ID card).
  5. STEP 5: Learn more about steps you can take to fight identity theft.

    Visit the Federal Trade Commission's Fighting Back Against Identity Theft. Also, view more helpful tips and resources on preventing fraud and identity theft from the three national credit bureaus: Equifax Help, Experian Fraud FAQs and TransUnion Fraud and Identity Theft.

  6. STEP 6: Read about ways you can detect identity theft.

Back to Top

I heard that the Comptroller’s office is providing free identity restoration services to all affected individuals. Is that true? (Updated 7/28/11)

The Comptroller's office arranged to provide free credit monitoring through CSIdentity for individuals affected by the unauthorized posting of their personal information. The sign-up period ran from April 29, 2011 to July 27, 2011. The service alerts subscribers to certain activity associated with their credit files, such as credit inquiries or account openings, closings or delinquencies. Subscribers also receive CSIdentity's Internet surveillance service, which monitors chat rooms and websites. CSIdentity's services also include identity restoration services for those who enrolled in the service during the April 29, 2011 through July 27, 2011 sign-up period, if their personal information is proven to be misused as a result of the data posting.

Is ERS, TRS or TWC calling people who may be affected? (Added 4/19/11)

No. Affected state employees and retirees — as well as current and retired teachers or university employees — should be aware that the Employees Retirement System of Texas, Teacher Retirement System of Texas and the Texas Workforce Commission are NOT calling those who may have been affected by the incident and asking for personal information. If you have received a call from someone saying they are with ERS, TRS or TWC in reference to this incident, please be aware that the call is fraudulent and you should not provide any information to the caller. Simply hang up. You may wish to submit a complaint regarding the phone call you received to the Attorney General’s Consumer Protection Division. They have an online complaint form to complete at https://www.oag.state.tx.us/consumer/complain.shtml.

Back to Top

When was this data available online?

The data was transferred in 2010 by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS). TRS data transferred in January 2010 had records of 1.2 million teachers and staff in the teacher retirement program. TWC data transferred in April 2010 had records of about 2 million people. ERS data transferred in May 2010 had records of approximately 281,000 state employees and retirees. The information transferred to our agency was legislatively mandated.

Back to Top

How did this happen?

Three data files were transferred to the Comptroller’s office by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS). Several internal Comptroller procedures were not followed, leading to the personal information being placed on one of the agency’s file transfer servers.

Back to Top

Is this information still at risk of disclosure to an unauthorized person?

The Comptroller’s office took immediate action to remove the records from the affected file transfer server. In addition, the Comptroller’s office has done a review of its file transfer servers and has secured data maintained on the servers. We have taken actions to help ensure this type of incident will not happen again. The Comptroller’s office also is working with the other agencies involved and with the Texas Attorney General’s office to investigate the incident.

Back to Top

How do I know if my personal information was included in the data that was affected?

The Comptroller’s office mailed letters beginning on Wednesday, April 13, 2011 to all individuals who may have been affected by the inadvertent posting of personal information. The three data files were on a separate file transfer server and no tax or treasury systems or information were compromised in any way. The TRS data file was sent to us in January 2010 and had information on about 1.2 million people; the TWC file was sent to us in April 2010 and had information on about 2 million people; and the ERS data file was sent to us in May 2010 and had information on about 281,000 people. View Data Exposure Grid to see who could be affected.

See Contact for more details on reaching our office.

Back to Top

If my name is on the list of those whose personal information was compromised, what data of mine has been inadvertently posted? (Added 4/13/11)

The records contained names, mailing addresses and Social Security numbers. Please see Proactive Steps to Protect Your Identity for recommended steps and resources for protecting personal information.

Back to Top

Do you know if the information was accessed and searched while it was inadvertently posted? (Added 4/13/11)

The Comptroller’s office has provided information to the Attorney General’s office for an in-depth investigation of this issue. At this time, there is no indication that personal information has been misused. Still, we urge everyone to take appropriate precautions to secure their personal information as a safeguard. Please see Proactive Steps to Protect Your Identity for recommended steps and resources for protecting personal information.

Back to Top

Why can’t I check your website to see whether my personal information has been compromised?

For confidentiality and security reasons, we are providing this information only over the phone.

Back to Top

What if I want to talk to someone or verify whether I am affected?

In response to this incident, a call center was set up to address any concerns not covered by the information on this website.

The Comptroller of Public Accounts is committed to and supportive of practices that protect the privacy of sensitive and confidential data that is a part of any transaction with the Comptroller’s office or that is otherwise used or stored by the Comptroller’s office. If you have any concerns about the privacy of your data or have any questions about the agency’s privacy practices, please contact the Comptroller’s Chief Privacy Office at 1-800-531-5441, ext. 4-9997.

Back to Top

Was any personal information of beneficiaries or dependents also affected? (Added 4/13/11)

No. According to the Teacher Retirement System of Texas (TRS) and the Employees Retirement System of Texas (ERS), the data files did not include any personal information for beneficiaries or dependents of the individuals affected (unless a beneficiary was also a state employee, TRS employee or TRS member).

Back to Top

Can I call the toll-free number to see if my spouse's information was on the list of those whose information was compromised? (Added 4/13/11)

No, for security reasons, the husband or wife is not allowed to check and the call should be made by the individual.

Back to Top

If I received a letter, does that mean someone stole my personal information?

No. The preliminary investigation revealed that three database files that contained personal information were inadvertently posted on one of the agency’s file transfer servers. There is no indication the personal information was misused as a result of this incident.

Back to Top

Do the letters include specifics on what information was compromised? (Added 4/13/11)

The letter is a notification to let those affected know their personal information was inadvertently posted. The data files contained names, mailing addresses and Social Security numbers. Please see Proactive Steps to Protect Your Identity for recommended steps and resources for protecting personal information.

Back to Top

My address has changed. What if I don't receive my letter? (Added 4/13/11)

We are set up with the U.S. Postal Service to forward mail to recipients’ most current address. For returned mail, we are making every effort to identify a correct name and address to resend the notification. For those we cannot identify, we are notifying the three agencies — Employees Retirement System of Texas, Teacher Retirement System of Texas and Texas Workforce Commission.

Back to Top

What should I do if I discover fraudulent use of my personal information? (Updated 4/20/11)

1. Contact law enforcement.

If you suspect and have evidence that you are a victim of identity theft, you should immediately file a police report with your local police department (not with the Texas Attorney General’s office). For instructions on when, how and where to file a police report, please see detailed steps to recover from Identity Theft on the Federal Trade Commission’s site. You can also contact the Victims Initiative for Counseling Advocacy and Restoration of the Southwest (VICARS) (www.idvictim.org). VICARS is a program of the Texas Legal Services Center that provides free civil legal services to victims of identity theft and financial fraud.

If another person is arrested and falsely uses your name or other personal information, Texas law allows you to have this information expunged from the arrest record. Contact the Crime Records Service at the Texas Department of Public Safety (DPS) for more information on the expunction process.

2. Contact the national credit bureaus.

Individuals whose personal information was involved in this incident can request that a free, 90-day initial fraud alert be placed on their credit files by calling any one of the three major national credit bureaus:

Fraud alert messages notify potential credit grantors to verify your identity before extending credit in your name. You can renew the free fraud alert every 90 days.

3. Request the following information from the credit bureaus:

  • Instruct them to flag your file with a fraud alert including a statement that creditors should get your permission before opening any new accounts in your name
  • Ask them for copies of your credit report(s). Credit bureaus must give you a free copy of your report if it’s inaccurate because of suspected fraud.
  • Be diligent in following up on your accounts.
  • If you find that any accounts have been tampered with or opened fraudulently, close them immediately. To ensure that you do not become responsible for any debts or charges, use the ID Theft Affidavit Form (PDF, 106K) developed by the Federal Trade Commission to help make your case with creditors.

Back to Top

Why doesn’t the Comptroller’s office call the credit bureaus to set up the fraud alert for everyone affected? (Updated 9/01/11)

Though the Comptroller's office would like to automatically set up fraud alerts for everyone affected, the credit bureaus require consumers to take additional steps when obtaining credit, fraud alerts and other services, and those can only be activated with the consent of the individual customers. Setting up a fraud alert is fast and easy, and typically can be completed within 5 minutes.

Back to Top

I heard that free credit monitoring is available. What is it and how I can set it up?
Who will pay for continuing assistance? (Updated 9/01/11)

The Comptroller's office arranged for one year of credit monitoring through CSIdentity at no charge for those whose information was affected. The sign-up period ran from April 29, 2011 through July 27, 2011. The service alerts subscribers to certain activity associated with their credit files, such as credit inquiries or account openings, closings or delinquencies. Subscribers will also receive CSIdentity's Internet surveillance service, which monitors chat rooms and websites. The offer of free credit monitoring ended on July 27, 2011.

Back to Top

What if I already paid for credit monitoring? (Added 4/29/11)

Some people whose personal information was affected may have already signed up for discounted credit monitoring and identity protection services offered by several service providers through the Comptroller's office. Those companies have cancellation and refund policies, and individuals who signed up can contact the companies if they wish to cancel.

Will signing up for fraud alerts or credit monitoring negatively affect my credit? (Added 4/20/11)

No. Requesting a copy of your credit report will not negatively affect your credit score. Neither will subscribing to a credit monitoring service. When you authorize a lender to check your credit, it is called a “hard pull,” which may cause your credit score to drop slightly. When you check your own credit, this is known as a “soft pull,” which does not hurt your score. You can check your own credit report and score as frequently as you like without consequences.

Back to Top

Who should I contact if I have any additional questions concerning this incident?

You may email your question to us at safeguards@cpa.state.tx.us. You can also sign up to receive email updates to keep you informed on the latest developments.

Back to Top

What steps is the Comptroller’s office taking to respond to this incident? (Updated 9/01/11)

Incident-related Communications

Individuals whose personal information was inadvertently posted were issued a letter from the Comptroller’s office in April.

On Monday, April 11, Texas media outlets were alerted to the inadvertent posting of certain personal information. A news release outlined details about the incident and this website was provided to give individuals access to more information.

A toll free hotline was made available Tuesday, April 12, for individuals wanting news or resources related to the incident.

Additional news releases have spotlighted other measures taken to assist those whose information was affected.

This website, www.TXsafeguard.org, was created to provide information about the incident, including updates on who was affected and what to do if your information was inadvertently posted, as well as additional details, recommended steps and resources. The site also provides this list of answers to frequently asked questions and an email alert individuals can sign up for to be informed of additional developments.

Policy Procedures and Enhancement

The Comptroller’s office took immediate action to remove the records from the affected file transfer server, and contacted all three major credit reporting agencies. The Comptroller's office also arranged for one year of credit monitoring through CSIdentity at no charge for those whose information was affected. The sign-up period ran from April 29, 2011 through July 27, 2011. The service alerts subscribers to certain activity associated with their credit files, such as credit inquiries or account openings, closings or delinquencies. Subscribers will also receive CSIdentity's Internet surveillance service, which monitors chat rooms and websites. The offer of free credit monitoring ended on July 27, 2011.

In addition to signing up for credit monitoring, affected individuals can request to have a free, 90-day fraud alert placed on their credit files by contacting any one of the three major national credit bureaus. This typically takes less than five minutes. Fraud alerts can be renewed every 90 days if needed. The Comptroller's office also is working with the other agencies involved and with the Texas Attorney General's office in investigating the incident. We have no information to indicate that this personal information has been misused, but we are notifying people so they can take precautions they feel necessary. In addition, the Comptroller's office has done a review of its file transfer servers and has secured data maintained on them.

Back to Top

What is the Comptroller’s office doing to ensure more security in the future?

The Comptroller’s office takes the protection of personal information very seriously. For information on maintaining information security in a digital world, please refer to the “State Response and Safeguards” section of this website.

Back to Top

What was the timeline of events? (Updated 4/28/11)

Date Event Description
January 2010 Records on 1.2 million education employees and retirees transferred from Teacher Retirement System of Texas to the Comptroller’s office.
April 2010 Records of about 2 million individuals transferred from Texas Workforce Commission to the Comptroller’s office.
May 2010 Records of approximately 281,000 state employees and retirees transferred from Employees Retirement System of Texas to the Comptroller’s office.

The information was required to be transferred per statute by these agencies and used internally at the Comptroller’s office as part of the unclaimed property verification system. As a result of this data-matching, $41.5 million in unclaimed property claims were generated for Texans.
March 31, 2011 At approximately 5:00 p.m., the Comptroller’s office first discovered that an ERS file containing personal information had been placed on a server accessible to the public and had not been purged as required by internal procedures.

At approximately 5:15 p.m., the ERS file was secured by restricting access permissions to only server administrators.
April 1, 2011 All files on the server were relocated to a secure location, and by 9:00 a.m. access was removed to the TRS/TWC files.
April 1-8, 2011 Internal Comptroller review and investigation.
April 4-10, 2011 Comptroller’s office gathered information for notification letters, website resources and call center operations to provide accurate and open information to the public and all affected individuals; in addition, Comptroller’s office contacted the Attorney General’s office and provides details and information.
April 11, 2011 Agency issued news release alerting the public of the personal information exposure and created website, www.TXsafeguard.org to provide additional details, recommended steps and resources.
April 12, 2011 Special toll-free phone line opened at 7:30 a.m. that enabled callers to check if they are receiving a notification letter.
April 13, 2011 Letters sent to three and a half million people whose personal information may have been exposed.
April 15, 2011 Comptroller’s office arranges with Experian to offer affected individuals a 70 percent discount on one year of credit monitoring.
April 20, 2011 Comptroller’s office arranges with CSIdentity to offer affected individuals one year of fraud-related assistance for $29.95, a 70 percent discount.
April 28, 2011 The Comptroller arranges for free credit monitoring provided through CSIdentity for all those whose information was affected. The sign-up period for this free offer ran from April 29, 2011 through July 27, 2011.

Back to Top



General Identity Theft

What can I expect from the credit reporting agencies? (Updated 9/01/11)

A credit-reporting agency is a company that collects data from various sources, and provides consumer credit information on individual consumers.

In the United States, the three major, nationwide credit-reporting agencies are Equifax, Experian and Trans Union.

These agencies are able to provide a copy of your credit report as well as services to help guard against unauthorized use of your credit, including credit monitoring and alerts.

You may contact any one of the three agencies for a free, 90-day fraud alert. When you request a fraud alert from one bureau, it will notify the other two for you. You can renew the free fraud alert every 90 days. A fraud alert makes it more difficult for someone to get credit in your name. Contact the credit bureaus at:

In addition to fraud alerts, these agencies offer a credit freeze (also called a security freeze), which prevents a third-party from accessing your credit without your consent, and prevents organizations from updating some information on your report.

Credit agencies also allow you to submit disputes against inaccurate or fraudulent activity you see on your credit report.

The Comptroller's office arranged for one year of credit monitoring through CSIdentity at no charge for those whose information was affected. The sign-up period ran from April 29, 2011 through July 27, 2011. The service alerts subscribers to certain activity associated with their credit files, such as credit inquiries or account openings, closings or delinquencies. Subscribers also receive CSIdentity's Internet surveillance service, which monitors chat rooms and websites. The offer of free credit monitoring ended on July 27, 2011.

Back to Top

What should I do to protect my identity? (Updated 7/28/11)

Early detection of potential identity theft makes a big difference. Monitor your financial statements and credit reports regularly. There are several options you can take now to minimize the risk of becoming an identity theft victim:

  1. Explore credit monitoring services.
  2. Notify at least one of the major credit bureaus and establish a free 90-day fraud alert.

    Immediately call the fraud department of one of the three credit reporting agencies and request a free 90-day fraud alert:

    When you request a fraud alert from one bureau, it will notify the other two for you.

    You can renew the free fraud alert every 90 days. Your credit file will be flagged with a statement that says you may be a victim of fraud and that creditors should phone you before extending credit. You may cancel the fraud alerts at any time.

  3. Order your credit reports.

    When you establish the free, 90-day fraud alert, you will receive a follow-up letter or online confirmation from each credit bureau. Each letter explains how you can order a free copy of your credit report from that credit bureau. We suggest that you take advantage of this offer and order your credit reports soon. If you are a victim of identity theft, you will see evidence of it on your credit report.

    Moreover, all consumers are also entitled to one free credit report a year from each of the three major credit reporting agencies at the website AnnualCreditReport.com, whether or not they are the victim of identity theft.

  4. Examine your credit reports carefully.

    When you receive your credit reports, look for signs of fraud such as credit accounts that you did not apply for. Check if there are numerous inquiries on your credit report. If a thief is attempting to open up several accounts, an inquiry will be listed on your credit report for each of those attempts. Also, check that your Social Security number, address(es), phone number(s), and employment information are correct.

  5. Continue to monitor your credit reports.

    Be aware that these measures may not entirely stop new fraudulent accounts from being opened by an imposter. Credit issuers do not always pay attention to fraud alerts, even though federal law now requires it. Once you have received the first free copy of your credit report, follow up in a few months and order another.

  6. Consider a security freeze.

    Texas law enables individuals to place a security freeze on their credit reports if they have filed an identity theft criminal complaint with law enforcement.

    A security freeze is stronger than a fraud alert because it prevents anyone from accessing your credit file until and unless you authorize the credit bureaus to release your report. (Please note that it does not affect existing accounts and includes other exceptions.)

    Be aware that this might be inconvenient if you will be applying for new credit, an apartment, or employment involving a background check, since you will have to lift the freeze on your credit file. You can write to request that it be lifted for a certain period of time or for a specific creditor.

Back to Top

How do I know if I am a victim of identity theft?

Typically, people find out they are victims when they receive collection notices for items or accounts they have never purchased or opened. Check your credit report for suspicious activity.

Back to Top

What should I do if I find I am the victim of identity theft?

Taking Charge: Fighting Back Against Identity Theft

Download a copy of the FTC’s brochure Taking Charge: Fighting Back Against Identity Theft (PDF, 4.9M) for helpful advice.

If your credit report indicates you are a victim of identity theft, you will want to immediately file a police report. It is very important to do this, as you will use the report as proof that you are a victim of identity theft.

Report fraudulent accounts and erroneous information in writing to the credit bureaus and the credit issuers following the instructions provided with the credit reports. You will more than likely be asked for a copy of your police report. A telephone call will not protect your rights under the law.

In all communications with the credit bureaus, you will want to refer to the unique identification number assigned to your credit report and mail items certified, with return receipt requested. Be sure to save all credit reports as part of your fraud documentation.

You may also want to visit the Federal Trade Commission’s identity theft website at www.ftc.gov/bcp/edu/microsites/idtheft/ for further information.

Back to Top

How do I prove that I'm an identity theft victim?

Applications or other transaction records related to the theft of your identity may help you prove that you are a victim. For example, you may be able to show that the signature on an application is not yours. These documents also may contain information about the identity thief that is valuable to law enforcement. By law, companies must give you a copy of the application or other business transaction records relating to your identity theft if you submit your request in writing, accompanied by a police report. Read more about getting information from businesses, and use this model letter to request this information.

Back to Top

Should I apply for a new Social Security number?

Under certain circumstances, the Social Security Administration may issue you a new Social Security number — at your request — if, after trying to resolve the problems brought on by identity theft, you continue to experience problems. Consider this option carefully. A new Social Security number may not resolve your identity theft problems, and may actually create new problems. For example, a new Social Security number does not necessarily ensure a new credit record because credit bureaus may combine the credit records from your old Social Security number with those from your new Social Security number. Even when the old credit information is not associated with your new Social Security number, the absence of any credit history under your new Social Security number may make it more difficult for you to get credit. And finally, there’s no guarantee that a new Social Security number wouldn't also be misused by an identity thief.

Sources: Attorney General of Texas
Federal Trade Commission, What To Do If Your Personal Information Has Been Compromised