Undisclosed Texas License Vendor Breach Exposes 3 Million Records Including Passports

The Texas Parks and Wildlife Department learned of the incident through the Texas Cyber Command after the unnamed vendor’s systems were compromised. TPWD stated that Social Security numbers, dates of birth, and payment data were not accessed and found no evidence minors or specific groups were targeted. License sales continue uninterrupted while the agency strengthens access controls on customer profiles.

Procurement records show TPWD has relied on a small set of recurring vendors for license systems since at least 2018, with limited public detail on their security certifications or incident response obligations. This matches patterns in prior Texas incidents where TxDOT crash reports and other agency data moved through contractors without disclosed downstream controls. Passport and driver’s license numbers create immediate identity-fraud vectors that persist longer than typical contact data.

Related Texas breaches at gas-station operators and healthcare entities demonstrate repeated contractor exposure without coordinated vendor audits across agencies. The decision to withhold the vendor name blocks cross-referencing with known supply-chain compromises tracked in CVE databases and state procurement filings.

Texas Cyber Command is expected to mandate additional access logging and third-party penetration testing within 90 days, yet similar requirements after earlier incidents produced no measurable decline in repeat exposures.