You can change a password and cancel a card. But replacing a passport or driver’s license number every time someone leaves yours unsecured in a vendor database isn’t so easy.

More than three million Texans are facing that problem after a data breach involving a vendor used by the Texas Parks and Wildlife Department (TPWD) to process hunting and fishing licenses.

In an announcement confirming the breach, TPWD says the hackers gained access through the third-party vendor’s systems and exposed personal information belonging to 3,087,721 people. The agency says the exposed data may include driver’s license information, passport numbers, email addresses, phone numbers, and residential addresses.

However, exactly what information was stolen remains unclear.

Conflicting accounts of what was exposed

In a breach notification filed with the Texas Attorney General’s office, TPWD said the incident affected:

  • Name of individual
  • Address
  • Social Security number information
  • Driver’s license number
  • Government-issued ID number (e.g. passport, state ID card)
  • Date of birth

When we asked them for clarification, TPWD referred us to the same public statement they put on the website, which lists this data as possibly stolen:

  • Driver license information
  • Passport numbers (if provided)
  • Email addresses
  • Phone numbers
  • Residential addresses

It explicitly said that Social Security numbers, dates of birth, and financial information, including credit card details, were not included in the incident.

“Social Security numbers, dates of birth and financial information, including credit card details were not obtained from this incident.” 

Those two lists don’t tally up, leaving Texans unclear as to exactly what information has been stolen.

TPWD has not identified the third-party vendor involved in the incident. It also declined to answer questions about when it first learned of the breach, how the attackers gained access to the data, or what specific security controls failed.

TPWD did say it is working with the license system vendor to implement increased safeguards. It didn’t say what those safeguards were, though, or exactly how the information was stolen in the first place.

Not the first major Texas data exposure

This isn’t the Texas government’s first data breach rodeo, which matters because criminals often combine data from multiple leaks. Information that seems limited on its own becomes much more useful when paired with other stolen data.

In 2020, software vendor Vertafore exposed records belonging to nearly 28 million Texas drivers by leaving the data in an unsecured external storage service, according to a StateScoop investigation.

In January last year, the Texas Department of Health and Human Services informed people that its employees had been stealing their data. At least 61,000 people were affected, it said at the time, before expanding that number in April to at least 94,000.

The latest breach, and the admission that government IDs were among the stolen data, may also complicate the Texas government’s repeated attempts to introduce digital identity programs. Senate Bill 215, which proposed a state digital ID for citizens, didn’t make it past committee.

If you bought a Texas hunting or fishing license

TPWD has offered affected individuals one year of free credit monitoring through Kroll. Enrollment closes September 14, 2026.

If you may have been affected:

  • Freeze your credit with Equifax, Experian, and TransUnion to make it harder for identity thieves to open accounts in your name.
  • Enroll in the Kroll credit monitoring before September 14, 2026.
  • Watch for phishing emails and texts referencing TPWD, fishing licenses, or the breach itself. Leaked emails and phone numbers are exactly what scammers use next.
  • Be suspicious of anyone who contacts you unexpectedly and asks you to verify driver’s license, passport, or other personal information.

Whether Texas ever reveals the vendor’s identity remains to be seen. What is certain is that the personal information of more than three million Texans is now in criminal hands.

Your name, address, and phone number are probably already for sale.  

Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way.