Three million Texans bought a hunting or fishing license and got a data breach thrown in for free — and the state still does not know exactly when it happened.
Quick Take
- A hacker broke into a vendor system used by Texas Parks and Wildlife Department to sell hunting and fishing licenses, exposing data on more than 3 million people.
- Stolen data includes driver’s license numbers, passport numbers, home addresses, email addresses, and phone numbers.
- Texas officials say Social Security numbers and financial data were not taken, but a separate filing tells a different story.
- The state has not named the vendor, has not confirmed when the breach happened, and does not know if attackers made contact.
- Affected Texans can sign up for one free year of credit monitoring through Kroll before September 14.
What Got Stolen and From Whom
Texas Parks and Wildlife Department notified Texas Cyber Command on May 13 after discovering that an outside vendor — the company that runs the state’s hunting and fishing license sales system — had been hit by an unauthorized actor.
The breach affected 3,087,721 Texans. The stolen data included driver’s license numbers, passport numbers, home addresses, email addresses, and phone numbers. Every one of those data points is a gift to an identity thief.
The personal information of more than 3 million hunters and anglers in Texas may have been exposed by a data breach, officials said. https://t.co/ovpJEjTKhk
— FOX26Houston (@FOX26Houston) June 20, 2026
Texas Parks and Wildlife Department said Social Security numbers, birth dates, and financial information were not exposed. That is the official line. But a separate legal filing reviewed by Claim Depot lists Social Security numbers, dates of birth, medical information, and financial data among the affected fields. Neither account can be entirely right.
Until the state releases its complete forensic findings, the true scope of what was taken remains an open question — and that gap matters enormously to the people affected.
The Vendor Problem Nobody Wants to Talk About
Here is the part that should make every Texan angry. The breach did not happen inside a state government building. It happened at a private vendor the state hired to handle license transactions. The state trusted that vendor with millions of people’s personal data. The vendor got hacked.
And as of now, the Texas Parks and Wildlife Department has not named the vendor, has not explained how the breach occurred, and has not confirmed when it began. That is a stunning lack of transparency for an incident of this size.
This is not a rare pattern. In 2024, at least 35.5 percent of all data breaches traced back to a third-party vendor — up from 29 percent the year before, and that number is likely an undercount. [12]
When a state agency outsources a core function, such as license sales, it also transfers the risk. The agency rarely loses sleep over the vendor’s security practices — until 3 million residents’ data ends up in the wrong hands.
Why a Driver’s License Number Is More Dangerous Than You Think
People hear “no Social Security numbers were taken” and feel relieved. They should not relax that fast. A driver’s license number combined with a home address, phone number, and email address gives a criminal enough information to open fraudulent accounts, redirect mail, and run phishing attacks tailored specifically to you.
Passport numbers make it even worse. These are not low-grade scraps of data. They are the building blocks of identity fraud, and they are now in the hands of unknown parties.
Third-party vendor breach exposes 3M+ Texas hunting & fishing license holders. Driver's licenses, passports & more stolen. Supply chain attacks are rising. Check your vendors now!
— Vladimir Cageyv Samoylov (@cageyvdev) June 21, 2026
Texas Parks and Wildlife Department is offering one free year of credit monitoring through Kroll. Call 844-959-7123 between 8 a.m. and 5:30 p.m. Monday through Friday. The deadline to sign up is September 14.
That is a reasonable first step, but one year of monitoring is a short window. Identity theft built from this kind of data can surface years later, long after the free service expires.
Affected Texans should also place a free credit freeze with all three major credit bureaus — that costs nothing and stops new accounts from being opened in your name.
What the State Owes Hunters and Anglers Right Now
Texas Parks and Wildlife Department said it has added security measures and is working with the vendor to prevent future incidents. That is the standard language every agency uses after a breach. What is missing is accountability.
The state should name the vendor. It should release a timeline of when the breach started and how long it ran undetected. It should explain why its vendor contracts did not require stronger security controls.
Principles of government accountability both demand that the people whose data was lost get honest, complete answers — not carefully worded reassurances. [2]
Sources:
[2] Web – Texas Parks & Wildlife Breach Exposes 3 Million Driver’s License …
[12] Web – Third-Party Data Breaches: What You Need to Know | Mitratech
