HOUSTON – A huge mistake by the City of Houston has potentially exposed sensitive personal information of hundreds of current and former city workers.
The names, social security numbers and other financial information was stored in a locked filing cabinet sold by the city at auction in February.
“We could hear stuff was in there,” said Tom Norris, who bought the cabinet as part of a larger lot of surplus city goods. “It was kind of heavy for what it was.”
But Norris, a veteran of several auctions, wasn’t prepared for what he found inside.
“It was a big surprise,” Norris told the I-Team. “I just couldn’t believe they let that kind of information flow.”
Norris said he realized the two-drawer filing cabinet, which was locked, was not empty when he arrived at the city’s warehouse to pick it up.
“I said, ‘Hey, you want to get your stuff out?” Norris said. “And they said, ‘Oh no. You own it. You bid on it. It’s yours.”
Norris had the cabinet unlocked when he got it back to his office. Inside he found nine zip disks, some of which were labeled “accounting.”
Norris says he called the city to make workers aware of the situation, but says no one returned his calls.
That’s when he called the I-Team.
“I was appalled,” Norris said. “They’re handing out information. I don’t know what’s on there, but I imagine it could be pretty damaging.”
At the time, Norris, who didn’t have a zip drive to check the disks, didn’t know what information was on them.
The I-Team took the information to Gary Huestis, an expert in digital forensics with the company e-Investigations.
The files containing personal information were not password protected nor encrypted.
“Zip drive and Microsoft Excel and you can see what's on here,” Huestis said.
A quick scan of the disks revealed 829 names with social security numbers and payroll details.
The files appeared to come from the city’s municipal courts division. Some dated back to the early 2000s.
At the time, Gary Gray was an assistant chief clerk in the division.
“Oh my goodness, that’s unbelievable,” said Gray when showed that his information was on the disks. “It’s inexcusable. That’s a very huge lack of controls.”
“Does the city owe you can explanation, how this happened?” the I-Team asked Gray.
“I think they owe everyone on this list an explanation,” Gray said.
So far, the city refuses to discuss what happened.
A spokeswoman would only say that no city policies were broken and that workers assumed the cabinet was empty.
But Norris doesn’t believe it.
“That’s outright lies,” he said. “Somebody’s head should roll for this. If it was my parents’ information on there, or one of my relatives, I would lose my mind.”
A licensed private investigation, the what-if’s of the city’s mistake scare him.
“What if they’d gotten in somebody else’s hands?” Norris said. “There’s no background check when you sign up for the auction. Anybody could have signed up and wound up with these disks.”
Meanwhile, former employees like Gray wonder what other information the city’s auctioned off over the years.
“You never know what could be out there now,” Gray said.
The I-Team made six requests to sit down with someone from the city to get answers about how this happened and to get specifics about what’s being done to make sure it never happens again.
Instead, a spokesperson for Mayor Sylvester Turner issued a statement saying:
“It was a mistake that should not have happened. The City is notifying the affected individuals. The City is aware of how important personal information is and we take employee privacy very seriously. Our goal is to prevent breaches of sensitive data, and we are implementing new standard operating procedures to ensure this does not happen again.”
The statement goes on to say the city will no longer accept locked items for auction.
Meanwhile, Norris returned the disks to the city Monday afternoon, ending a week of legal back-and-forth.
Norris says he held on to the disks until he was certain the city was going to take the issue seriously.
“I was finally able to get some assurances in writing from the city that they were going to actually follow through with an investigation and notify all the people that their information had been compromised,” Norris said.