Texas Parks and Wildlife Vendor Breach Exposes Data of 3 Million Hunters and Anglers
A breach at an unnamed license-sales vendor for the Texas Parks and Wildlife Department has exposed the personal data of over 3 million Texans, including driver's license and passport numbers.
The Texas Parks and Wildlife Department (TPWD) has disclosed a data breach affecting 3,087,721 Texans, after attackers compromised a third-party vendor that handles hunting and fishing license sales. The breach exposed a trove of personal information, including names, driver's license and passport numbers, email addresses, phone numbers, and residential addresses. While the department initially stated that Social Security numbers were not involved, a filing with the Office of the Attorney General appears to contradict that, noting that SSNs were also compromised.
The unnamed vendor, which processes license transactions for TPWD, was breached at an undetermined time. The department notified Texas Cyber Command on May 13, 2026, but an investigation has not yet pinpointed when the attack occurred. A dedicated Kroll webpage for the incident confirms that the timeline remains unclear. Affected individuals are being offered one year of free credit monitoring through Kroll, with enrollment open until September 14.
The breach underscores the persistent risk posed by third-party vendors in government services. TPWD stated that it is working with the vendor to implement additional security measures, including enhanced monitoring and access controls. "We recognize the seriousness of this issue and have identified and implemented additional security options to better protect customer information," the department said in a statement. "Many of our staff are hunters and anglers and were affected by this incident."
Despite the breach, TPWD confirmed that new license sales scheduled for August will proceed as planned. However, the website used to purchase licenses was unreachable at the time of reporting, raising questions about the vendor's operational stability. The department did not name the vendor, citing ongoing investigations.
This incident adds to a growing list of data breaches involving state and local government vendors. In recent months, similar attacks have hit agencies across the U.S., exposing millions of records. The Texas breach is particularly notable for its scale and the sensitivity of the data involved, including government-issued identification numbers.
Affected individuals are advised to enroll in credit monitoring and remain vigilant for phishing attempts that may leverage the exposed information. The breach also serves as a reminder for government agencies to rigorously vet and monitor third-party vendors that handle sensitive citizen data.
The BleepingComputer report adds that the breach was discovered on May 12, 2026, and that the vendor's system processes hunting and fishing license transactions, exposing driver's license numbers, passport numbers, and other personal identifiers. TPWD is now mailing notification letters to over 3 million affected individuals and offering complimentary credit monitoring services through Experian. The incident underscores the persistent supply-chain risks inherent in government vendor relationships, where third-party access to sensitive data can lead to large-scale exposures.