Skip to Content

TDI: Additional Facts on Data Security Event

TDI provided clarification of information that appears in several recent news stories about their January 2022 data security event.

TDI discovered a programming code error in a web application and promptly fixed it.

In January 2022, TDI found the issue was due to a programming code error that allowed internet access to a protected area of the application. TDI promptly disconnected the web application from the internet. After correcting the programming code, TDI placed the web application back online. The forensic investigation could not conclusively rule out that certain information on the web application was accessed outside of TDI. This does not mean all the information was viewed by people outside TDI. Because they couldn't rule out access, TDI took steps to notify those who may have been affected.

There is no evidence to date that there was a misuse of information.

In January 2022, TDI began an investigation to determine the full nature and scope of the issue, which included working with a forensic company and working to find out whose information was or might have been viewed by people outside of TDI. To date, TDI is not aware of any misuse of the information.

TDI conducted an investigation, addressed the issue, and then reported it publicly.

The Texas State Auditor’s Office (SAO) started a data management audit at TDI last fall. TDI identified the web application issue in January 2022 and, after correcting the code issue, reported it publicly, including issuing letters to potentially affected individuals, posting notice on our website, and issuing a news release. The SAO then added a reference of the event in their report’s executive summary.

The March 24 notice TDI sent to the media and consumers was not dependent on or initiated by the SAO audit, nor was the timing of that notice related to the SAO audit or report. The SAO was working on their audit during the time TDI was investigating the event and was in the process of preparing notices.

Individuals file workers’ compensation claims with their employer’s insurance carrier, not the Division of Workers’ Compensation (DWC).

Employees who are injured or become sick while performing their duties on the job file claims with the insurance carrier with which their employer has a policy. DWC does not pay benefits. DWC regulates the workers’ compensation system and collects data from system participants for that purpose.

TDI provided notice to Texas state media and consumers in March 2022.

TDI’s March 24, 2022, news release

Notice of data security event