The Texas Parks and Wildlife Department (TPWD) disclosed June 18 that its unnamed license system vendor was breached, exposing personally identifiable information for 3,087,721 hunting and fishing license customers. Texas Business and Commerce Code § 521.053 required the data breach notification. The agency hasn’t named the vendor.
Texas Cyber Command discovered the intrusion and launched an investigation into the unauthorized access. The exposed records include driver’s license information, passport numbers, email addresses, phone numbers, and residential addresses. Social Security numbers, dates of birth, and financial data were not compromised.
The data set is sufficient for targeted phishing campaigns. Threat actors with driver’s license details and home addresses can craft credible impersonation emails, push malware through fake login pages, or build dossiers on high-value targets. TPWD warned customers to stay alert for communications posing as official sources.
TPWD says it’s working with the vendor on new safeguards, but the vendor’s name still isn’t public. Third-party breaches at unnamed contractors are harder to track because the vendor’s security posture stays opaque to regulators and the public. If the same vendor serves other state wildlife agencies, the actual exposure could run well past 3 million records.
Impacted individuals are eligible for one year of free credit monitoring through Kroll. The enrollment deadline is September 14, 2026; call (844) 959-7123 to confirm eligibility.
James Okafor