Texas Data Breach Exposes 3M Driver Licenses

The Texas Parks and Wildlife Department disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals . According to the state's attorney general, hackers took the driver's license information and passport numbers of more than 3 million people . The incident is one of the largest data breaches to affect the state this year, as reported by TechCrunch .

The Texas Cyber Command discovered the intrusion and launched an investigation to determine the extent and impact of the unauthorized access . A Kroll webpage dedicated to the incident reveals that an investigation has not determined when the breach took place, though the department notified Texas Cyber Command on May 13 .

How Did Hackers Access the System?

In a data breach notice on the Texas Parks & Wildlife website, the department said the state's cybersecurity unit recently detected a security incident that allowed hackers to access the department's license system vendor, which handles the sale of hunting and fishing licenses . The department did not name the vendor or respond to TechCrunch's request for comment about the incident .

The threat actor may have obtained personally identifiable information associated with 3,087,721 Texas hunting and fishing license customers . The breach included email addresses, phone numbers, and residential addresses of affected license holders .

The state authority found that Social Security Numbers, dates of birth, or any financial information, such as credit cards, have not been impacted . TPWD says in the data breach notification there is no evidence that customers under the age of 18 were involved or that any specific group was targeted .

What Are the Identity Theft Risks?

The exposed data set is sufficient for hackers to target impacted individuals in phishing and social engineering attacks that lead to web pages distributing malware or seeking more sensitive information . Security experts note that driver's license and passport numbers represent high-value identity documents that cannot be easily changed or reset like passwords.

Driver's license and passport scans often end up on the Dark Web after a data breach, where they sell for anywhere from $20 for a scan to $150 for a "fullz" . An ID contains enough sensitive personal information to steal identity, access bank accounts, and forge official documents .

The combination of driver's license information with contact details creates particular risks. If a driver's license number falls into the wrong hands, criminals can use it fraudulently for fake IDs, employment fraud, or other forms of identity theft, including using the information to steal identity and open credit accounts .

What Is Texas Offering Affected Customers?

Affected customers are eligible to receive one year of free credit monitoring through Kroll, and customers can confirm their eligibility by contacting the dedicated call center at (844) 959-7123, with an enrollment deadline of September 14, 2026 . The call center is available from 8 a.m. to 5:30 p.m. CT, Monday through Friday, to answer questions about the incident or the services being offered .

The TPWD said in a release: "We recognize the seriousness of this issue and have identified and implemented additional security options to better protect customer information" . A TPWD spokesperson told Newsweek in an emailed statement on Friday: "We believe current and future customer data are not at risk" .

TPWD said it is working with the affected vendor to introduce additional preventive measures, including enhanced monitoring and access controls .

How Does This Compare to Other Texas Breaches?

Texas has experienced several major data breaches in 2026. Texas Attorney General Ken Paxton launched an investigation on February 12, 2026, following a data breach exposing personal data of about 4 million Texans at Conduent Business Services LLC . The breach, occurring between October 21, 2024, and January 13, 2025, compromised sensitive health information, including data of Texas Medicaid recipients and Blue Cross Blue Shield of Texas clients .

The Parks & Wildlife breach follows a pattern of third-party vendor vulnerabilities. The weak point is rarely the company you handed your ID to but the chain of vendors behind it that you never agreed to trust and that nobody audits until after the breach .

What Changed This Week

Texas disclosed one of its largest government data breaches of 2026, affecting 3.1 million hunting and fishing license holders whose driver's license and passport information was stolen through a vendor system. The state's Cyber Command detected the intrusion in May but has not determined when the breach occurred. Affected individuals now face identity theft risks from exposed government identification documents that cannot be easily replaced.

What to Watch

The September 14 enrollment deadline for free credit monitoring through Kroll represents the key date for affected customers. Texas has not identified the breached vendor, and whether the state will face regulatory scrutiny or legal action remains unclear. Watch for potential announcements from the Texas Attorney General's office regarding any investigation into the vendor's security practices, and monitor whether other states using similar hunting and fishing license vendors report comparable breaches.

Reporting based on coverage from TechCrunch, BleepingComputer, The Register, SC Media, and Newsweek, June 18-19, 2026.