California's Department of Fish and Wildlife said that thousands of state employees and contractors' sensitive, personal data was exposed in a security breach discovered nearly two months ago. Department officials said a former employee downloaded the data to an unencrypted personal device and took the records outside of the state department's network.
The department has not named the ex-employee in question or provided any details regarding when or why the data was downloaded by the former staffer.
Compromised data included the full names, Social Security Numbers and, in some cases, home addresses of people who worked at the CDFW and California's Wildlife Conservation Board in 2007, a memo sent to its existing employees last week reportedly states. The personal data of vendors who worked with the board between 2007 and 2010 was also compromised in the breach.
About 2,300 people were working at the CDFW in 2007, according to state records.
The security breach was first discovered before Christmas on 22 December 2017, officials said. Department spokeswoman Jordan Traverso said CDFW has not yet found evidence of any malicious hackers profiting off of the exposed data, Sacramento Bee reports.
"We take the security of personally identifiable information very seriously," CDFW said in the memo dated 15 February. "We promptly notified the California Highway Patrol (CHP), which is investigating the incident."
CDFW said it did not notify the individuals until this week in compliance with a civil code that says notification may be delayed until law enforcement determines doing so will not affect its criminal investigation into the breach.
"At this time, we have no information to indicate the former employee had any malicious intent," CDFW added. "CDFW regrets that this incident occurred and wants to assure you that we are reviewing and revising our policies, procedures, and practices to minimize the risk of future recurrence."
IBTimes UK has reached out to CDFW for further comment.
News of the security breach comes just days after the Sacramento Bee accidentally leaked a database that included 19 million California voters' records online. The exposed information was swiftly scooped up by hackers who locked down the data and held it for ransom.
It was discovered that the database was left exposed for about two weeks following a routine maintenance.
In December last year, a MongoDB database containing the personal data of every voter in California was also left unprotected. It was later deleted by hackers and replaced with a ransom note. It is still unclear who that database belonged to.