Tools / News / Texas License Vendor Breach Exposes 3 Million Driver's Licenses and Passport Numbers
Press

Texas License Vendor Breach Exposes 3 Million Driver's Licenses and Passport Numbers

· VaultTools

The Texas Parks and Wildlife Department disclosed a breach at its hunting and fishing license vendor that exposed driver's license information and passport numbers for 3,087,721 people. Texas Cyber Command found the intrusion; the vendor was not named. Disclosed June 18, 2026.

VaultTools · June 21, 2026

A passport, a driver license, and a hunting and fishing license on a black surface, one document dissolving into green data fragments drifting away, illustrating identity records leaking from a vendor's storage. Illustration: VaultTools

Table of Contents

What Happened

The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at the third-party vendor that runs its hunting and fishing license system. According to TechCrunch, the breach “allowed hackers to steal 3 million driver’s licenses and passports.”

BleepingComputer reported the exact figure: 3,087,721 individuals. These are people who bought a Texas hunting or fishing license and handed over identity details to do it.

The vendor that operated the license system has not been named. TPWD said it is “working closely with the license system vendor to implement new safeguards and enhanced monitoring services.”

What Was Exposed

The exposed records included driver’s license information, passport numbers, email addresses, phone numbers, and residential addresses, according to SC Media and BleepingComputer.

TPWD said Social Security numbers, dates of birth, and financial information such as credit card numbers were not affected. The agency also stated there was “no evidence that customers under the age of 18 were involved or that any specific group was targeted.”

That still leaves a government-issued ID number, a passport number, and a home address tied together for more than three million people, the exact combination identity thieves use to open accounts and run impersonation scams.

How It Happened

The breach did not happen on a Texas government server. It happened at the outside company contracted to sell and manage the licenses. TechCrunch reported that hackers accessed “the department’s license system vendor,” and BleepingComputer noted that Texas Cyber Command, the state’s cybersecurity unit, detected the intrusion at that vendor.

This is the recurring shape of modern ID leaks: a public agency collects sensitive documents to deliver a routine service, hands the data to a contractor to process and store, and the data sits there until someone gets in. Buying a fishing license should not require trusting a third party with your passport number for years.

The Disclosure Timeline

Texas Cyber Command discovered the security incident and launched an investigation into the scope of the unauthorized access. TPWD then posted a breach notification to its website and filed notice with the Texas Attorney General’s office. TechCrunch published its report on June 18, 2026, and BleepingComputer followed on June 19, 2026.

Affected individuals are being offered one year of free credit monitoring. TPWD advised customers to watch their credit reports, consider a credit freeze or fraud alert, and stay alert to phishing and impersonation attempts.

Why This Matters for Browser-Based File Tools

A passport scan or driver’s license that never leaves your device cannot sit in a contractor’s database to be stolen later. The Texas breach is a failure of stored data, data uploaded once for a single transaction and then retained on a server outside the agency’s direct control.

VaultTools is built on the opposite default. Every tool runs client-side in your browser through WebAssembly. When you crop an ID photo, strip metadata from a scan, redact a passport page, or convert a document, the file is processed in memory on your own machine. There is no upload, no server-side copy, and no vendor storage bucket to misconfigure or breach. A file that never leaves the device cannot leak from one.

Agencies and the vendors they hire will keep collecting identity documents. But for the everyday handling people do themselves, resizing, converting, and redacting, local processing removes the failure mode entirely.

Sources

← Back to all news