A data breach at a Texas state government department allowed attackers to steal driver’s license information and passport numbers for more than 3 million people, according to a notice filed with the Texas Attorney General and reported by TechCrunch on June 18, 2026.
The incident is among the largest data breaches to affect Texas this year.
Read the TechCrunch report:
https://techcrunch.com/2026/06/18/texas-government-data-breach-allowed-hackers-to-steal-3-million-drivers-licenses-and-passports/
What Texas Parks & Wildlife Reported
In a data breach notice published on the Texas Parks & Wildlife website, the department said the state’s cybersecurity unit detected a security incident involving its hunting and fishing license system vendor. The vendor handles license sales and related identity verification.
Exposed data reportedly includes:
- Driver’s license information
- Passport numbers
- Email addresses
- Phone numbers
- Residential addresses
The department has not publicly named the vendor or confirmed whether attackers contacted the agency directly. TechCrunch’s request for comment was unanswered at publication time.

Why This Matters
Government and vendor-chain breaches that expose government-issued ID numbers create long-tail identity theft risk. Unlike a stolen password, a driver’s license or passport number cannot simply be rotated — victims may face fraudulent account openings, tax fraud, and impersonation for years.
For Texas businesses and professionals, this reinforces three lessons we see repeatedly in OAG breach filings:
- Third-party vendors are part of your attack surface — even when you do not operate the breached system.
- High-value identity data attracts targeted phishing — expect smishing and vishing campaigns referencing Texas licenses or state agencies.
- Documented cybersecurity programs matter — Texas SB 2610 Safe Harbor rewards organizations that maintain written, tier-appropriate security programs.

Post-Incident Security Posture Assessment
We ran independent EmailMeNow Cybersecurity Audits against Texas Parks & Wildlife and state portal domains on June 21, 2026:
| Organization (Domain) | Overall | Risk Level |
|---|---|---|
| Texas Parks & Wildlife (tpwd.texas.gov) | 74% | Good |
| State of Texas portal (texas.gov) | 65% | High Risk |
These public-facing scores do not prove how the vendor breach occurred — the hunting and fishing license system runs on a third-party vendor, not necessarily these web properties. They do illustrate the email and transport posture Texans see when interacting with state .gov sites after high-profile identity theft incidents.
Audit links:
What Affected Texans Should Do
- Monitor financial accounts and credit reports for unauthorized activity.
- Be skeptical of unsolicited calls, texts, or emails claiming to be from Texas Parks & Wildlife, DPS, or other state agencies.
- Consider a fraud alert or credit freeze if you purchased a Texas hunting or fishing license and believe your data may be involved.
- Use unique passwords and MFA on all accounts — attackers often pair leaked identity data with credential-stuffing attacks.

Vendor Risk for Every Texas Organization
If your business shares client or employee data with outside vendors — payroll, benefits, e-commerce, case management, or licensing platforms — this breach is a reminder to verify vendor security questionnaires, incident notification clauses, and least-privilege API access.
Benchmark your email and identity security posture.
Run a free audit at audit.emailmenow.com/?industry=local-government&state=texas or contact EmailMeNow IT Consulting for vendor risk review and SB 2610 documentation support.
Related trackers
- Texas OAG YTD dashboard
- Government & education tracker
- Monitoring guide
- All state AG trackers
- Washington healthcare breaches (2026)
- Washington law firm breaches (2026)
- CA June roundup
- TX July roundup
- WA May roundup
- TX Parks breach
- Have I Been Pwned
- HIBP July roundup
Sources: TechCrunch — Texas government data breach · EmailMeNow audits — tpwd.texas.gov · texas.gov