The personal information of 15,000 current and former transit workers was discovered by a person who purchased a refurbished CD drive, according to a letter sent to them about the breach.
The information was on a CD within the drive. The person who bought it was coincidentally a technology security official who worked for a New York City Transit vendor, and reported it to the company.
The vendor then returned the CD to the MTA.
The information included the names, social security numbers, and the date of birth of workers with different titles throughout the New York City Transit Authority, including those retired and deceased.
A source said those affected included top bosses, supervisors, and salaried workers, not workers who are paid hourly.
“An investigation is underway to determine the cause of the security breach,” said the letter from MTA Chief Information Officer Sidney Gellineau to those affected, which was sent on March 6.
The letter also says that the placement of the personal information on a CD is a breach of MTA policy, because it was not encrypted.
An MTA spokesman said there is an investigation going on to determined what happened, and said there was no indication that the data has been used for malicious purposes.
Workers that have been affected by the breach are being offered a free year of credit monitoring and identity theft protection.