Texas Parks and Wildlife vendor breach exposes 3 million license holders
A breach at the third-party vendor that processes Texas hunting and fishing licence sales exposed the driver's licence numbers, passport numbers and contact details of more than three million Texans, though the state said Social Security numbers and financial data were not taken.
- Victim
- Texas Parks and Wildlife Department
- records
- 3.1M
- users
- 3.1M
On 18 June 2026, the Texas Parks and Wildlife Department (TPWD) β the state agency that issues hunting and fishing licences to Texans β publicly disclosed a data breach at the third-party vendor that processes its licence sales, exposing the personal information of more than three million people. It is one of the largest US state-government data breaches disclosed so far in 2026, and a fresh reminder of the outsized risk that outsourced service providers pose to public-sector data.
What happened
According to TPWD, the breach did not occur on its own systems but on those of an external vendor that processes hunting and fishing licence transactions on the department's behalf. Texas Cyber Command detected unauthorised access to the vendor's environment and notified TPWD on 13 May 2026. The department published a formal Notification of Data Security Incident on 12 June 2026 and made a broader public disclosure on 18 June 2026.
The agency said its investigation had not determined when the initial intrusion occurred, how the attacker gained entry, or how long they had access. The vendor behind the breach was not publicly named, and as of disclosure no other states had reported a related incident.
Impact
TPWD said the exposed data covered 3,087,721 individuals and included driver's licence numbers, passport numbers (where customers had provided them), email addresses, phone numbers and residential addresses. The department stated that Social Security numbers, dates of birth and financial information β including credit-card details β were not obtained in the incident.
In response, TPWD set up a dedicated breach call centre and offered affected individuals free credit monitoring, with an enrolment deadline of 14 September 2026. No threat actor has claimed responsibility, and the department has not reported any ransom demand.
Why it matters
The breach highlights how a government agency's data is only as secure as the vendors it entrusts with citizen records. Driver's licence and passport numbers are durable identifiers that fuel identity theft and fraud for years, and their exposure at scale is far harder to remediate than a password reset. The incident underscores why public bodies should hold third-party processors to the same security and breach-notification standards as their own systems, and inventory exactly which sensitive fields those vendors hold.
Timeline
Texas Cyber Command notifies the Texas Parks and Wildlife Department that unauthorised access was detected in the systems of the third-party vendor processing its hunting and fishing licence sales.
TPWD publishes a formal Notification of Data Security Incident describing the exposed data.
TPWD publicly discloses the breach, confirming that personal information for more than three million licence holders was exposed.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/texas-govt-data-breach-exposes-over-3-million-drivers-licenses/
- theregister.comhttps://www.theregister.com/security/2026/06/19/texas-gov-vendor-breach-exposes-data-of-3m-hunters-anglers/
- cbsnews.comhttps://www.cbsnews.com/texas/news/3-million-texas-hunting-fishing-license-data-breach/
- tpwd.texas.govhttps://tpwd.texas.gov/about/notification-of-data-security-incident
- nbcdfw.comhttps://www.nbcdfw.com/news/local/massive-data-breach-could-impact-millions-of-texas-hunting-and-fishing-license-holders/4039264/