Cyberattack on Texas State vendor exposes data of over 3 million hunting and fishing license holders

A massive cybersecurity breach targeting an external vendor for the Texas Parks and Wildlife Department (TPWD) has exposed the personal information of more than 3 million residents, marking the state's largest documented data breach of the year.

The incident, which was detected by Texas Cyber Command, compromised a database used to process and sell state hunting and fishing licenses. According to state officials, an "unauthorized actor" successfully infiltrated the vendor's system and exfiltrated the sensitive records of 3,087,721 customers.

What data was compromised

The compromised dataset contains a mix of government-issued identification and contact details. Authorities confirmed that the stolen information includes:

• Driver’s license information

• Passport numbers (where provided by customers)

• Residential addresses

• Email addresses and phone numbers.

State officials emphasized that highly sensitive financial and identification data remained secure during the breach. Social Security numbers, dates of birth, and financial details such as credit card numbers were not obtained by the attacker.

Furthermore, there is currently no evidence that minors under the age of 18 were affected or that any specific demographic was targeted.

Response and accountability

While the immediate threat has been contained, TPWD has declined to publicly name the third-party software vendor responsible for managing the license platform, drawing scrutiny from cybersecurity experts regarding supply chain risk and transparency in state government contracts.

In a public statement, TPWD acknowledged the severity of the situation, noting that many of its own staff members are hunters and anglers who were personally impacted. The agency has implemented tighter access controls for customer profiles and stated it is working closely with the vendor to deploy enhanced security safeguards.

Despite the ongoing cleanup, state officials confirmed that annual hunting and fishing license sales will proceed on schedule.

Next steps for impacted Texans

Cybersecurity analysts warn that while the lack of financial data limits immediate monetary theft, the combination of physical addresses, emails, and driver’s license numbers provides malicious actors with enough leverage to launch highly sophisticated phishing and identity impersonation campaigns.

Texas residents who have previously purchased outdoor licenses are urged to take defensive measures. The state is offering one year of complimentary credit monitoring and identity restoration services through the corporate security firm Kroll. Affected individuals have until September 14, 2026, to enroll in the free monitoring program by contacting the dedicated state response line.