3,087,721 Texas hunting and fishing license customers had driver’s license information and other personally identifiable data exposed after an intrusion into the third‑party license system used by the Texas Parks and Wildlife Department (TPWD), the agency disclosed.
Extent of the exposure: 3,087,721 license customers
The intrusion was discovered by the Texas Cyber Command, which launched an investigation to determine the scope and impact of the unauthorized access. TPWD says the exposure stems from its license system vendor — an external service used to sell hunting and fishing licenses and permits on the agency’s behalf.
TPWD has stated that Social Security numbers, dates of birth, and financial information such as credit card data were not impacted, but that other personally identifiable information associated with 3,087,721 customers may have been obtained by the threat actor.
Types of records exposed
- Driver’s license information
- Passport numbers
- Email addresses
- Phone numbers
- Residential addresses
TPWD warns the exposed dataset is sufficient for attackers to target affected individuals with phishing and social engineering campaigns that could lead to malware distribution or attempts to extract additional sensitive information.
Investigation, vendor role, and agency response
The Texas Cyber Command led the discovery and investigation. TPWD has emphasized that the affected records were held by an external license system vendor rather than directly by the agency. The department says it is "working closely with the license system vendor to implement new safeguards and enhanced monitoring services."
BleepingComputer contacted TPWD for additional details and the identity of the third‑party service provider but had not received a statement at the time of the report.
Advice to affected individuals: credit monitoring, freezes, and vigilance
TPWD has informed impacted customers they are eligible for one year of free credit monitoring and advised them to monitor their credit reports and financial statements. The agency recommends that affected individuals consider placing a credit freeze or fraud alert with major credit bureaus as an additional protective measure.
TPWD also urged vigilance for phishing and impersonation scams, noting that threat actors may use the exposed contact and identity data to pose as companies or officials. The agency added, "There is no evidence that customers under the age of 18 were involved or that any specific group was targeted."
What this means for technologists, policymakers, and impacted individuals
- Technologists and security teams: The incident highlights the operational need to coordinate safeguards and enhanced monitoring between state agencies and their external vendors; TPWD has said it is implementing such measures with the license system vendor.
- Policymakers and procurement leaders: State use of an external vendor to sell licenses places third‑party vendor risk squarely in scope for oversight and procurement reviews of how agencies protect customer PII.
- Impacted individuals and the public: Affected Texans should enroll in the offered credit monitoring, consider credit freezes or fraud alerts, monitor financial statements, and treat unsolicited communications with increased scrutiny given the potential for targeted phishing and social‑engineering attempts.
TPWD is the state agency responsible for managing wildlife and fisheries, state parks, conservation programs, hunting and fishing regulations, boating registration, and enforcement by Texas Game Wardens. The department’s next steps — coordinating the vendor response, completing the Texas Cyber Command investigation, and notifying affected customers formally — will determine how fast exposed records are contained and how effectively follow‑on fraud is prevented.
Original reporting: https://www.bleepingcomputer.com/news/security/texas-govt-data-breach-exposes-over-3-million-drivers-licenses/
