"We recognize the seriousness of this issue and have identified and implemented additional security options to better protect customer information," said the Texas Parks and Wildlife Department.
How many Texans were affected: two different tallies
State officials now say millions of Texans had personal information copied in a breach at the vendor that handles hunting and fishing license sales. TPWD's public disclosure described the incident as impacting "3 million Texans," while a formal filing with the Office of the Attorney General lists a more precise total: 3,087,721 individuals. That OAG filing also appears to contradict TPWD's initial statement on what types of data were exposed.
What data was copied and where the accounts diverge
TPWD's disclosure states that basic personal information — email addresses, phone numbers and residential addresses — was copied after attackers breached the unnamed license vendor. The department said details of some victims' driving license and passport numbers "may be present" in the leaked dataset but, it added, Social Security numbers, financial data and information relating to minors were not involved.
By contrast, the OAG filing tied to the same incident notes that individuals' names and SSNs were also involved, creating an apparent conflict between the agency's public statement and the formal notice filed with the state attorney general.
Response actions: notification, credit monitoring, and technical measures
TPWD has moved to offer affected Texans one year of free credit monitoring through Kroll, with enrollment available until September 14. A Kroll webpage dedicated to the incident states that the investigation has not yet determined when the breach took place.
TPWD notified Texas Cyber Command on May 13, according to the department, and said it is working with the affected vendor to introduce additional preventive measures, including enhanced monitoring and access controls. The agency emphasized that many of its staff are hunters and anglers and were themselves affected by the incident, and pledged to continue to "work with the license system vendor to implement increased safeguards to prevent future incidents."
Impact on license sales and public-facing systems
TPWD said new license sales currently scheduled for August will go ahead as planned. At the time of reporting, however, the website used to purchase licenses was unreachable — a live operational detail that highlights a continuing service disruption even as the agency seeks to resume normal licensing operations.
What this means for hunters and anglers, TPWD security teams, and state cyber officials
- Hunters and anglers (affected Texans): Those named in TPWD's notices can enroll in one year of free credit monitoring from Kroll if they do so by September 14. They should also receive explicit notices detailing what information was exposed, per the department’s disclosures.
- TPWD and the vendor’s security teams: The department says it has identified and implemented additional security options and is working with the vendor to deploy enhanced monitoring and access controls — concrete steps the agency has shared publicly as part of its immediate remedial work.
- Texas Cyber Command and the Office of the Attorney General: Texas Cyber Command was notified on May 13, putting the state cyber organization on formal notice. The OAG filing provides a separate record with a larger affected population and different details on exposed data, a discrepancy that will be material to any regulatory or oversight follow-up.
The record presented so far is factual but contains two notable open questions embedded in the public documents: one, the exact number of Texans affected (3,000,000 as described by TPWD versus 3,087,721 in the OAG filing); and two, whether Social Security numbers were included in the copied data (TPWD’s disclosure says they were not, while the OAG filing asserts they were). Compounding those questions, Kroll’s incident page reports the investigation has not yet determined when the breach occurred.
TPWD’s pledge to implement "additional security options," the offer of Kroll monitoring through September 14 deadlines, the May 13 notification to Texas Cyber Command, and the August licensing schedule together create a timeline the public can track. Absent resolution of the numerical and data-content discrepancies in the filings, the most immediate facts remain the ones the agency has confirmed: millions of Texans connected to state hunting and fishing licenses had personal information copied in a vendor breach, remedial monitoring is being offered, and joint vendor–agency measures to strengthen monitoring and access controls are underway.
