More than three million people who bought a Texas hunting or fishing license have had their personal data stolen after a breach at a third-party vendor that processes those licenses for the Texas Parks and Wildlife Department (TPWD). The agency says attackers reached the data through the vendor's systems and exposed information on 3,087,721 individuals.
What was taken
TPWD has given conflicting accounts of exactly what was exposed, which leaves affected Texans unsure of their risk. A breach notification the agency filed with the Texas Attorney General's office lists names, addresses, Social Security number information, driver's license numbers, government-issued ID numbers such as passport or state ID details, and dates of birth. The public statement on TPWD's website, by contrast, lists driver's license information, passport numbers, email addresses, phone numbers, and residential addresses, and explicitly says Social Security numbers, dates of birth, and financial information were not involved. The two lists do not match.
That distinction matters. Passwords and payment cards can be changed after a breach, but a driver's license or passport number cannot be swapped out easily, which makes this kind of identity data especially valuable to fraudsters and especially hard for victims to recover from.
What TPWD has not said
The agency has not named the third-party vendor, and it declined to say when it first learned of the breach, how the attackers got in, or which security controls failed. It said only that it is working with the license-system vendor to add safeguards, without describing them. This is not the state's first large data exposure: a 2020 incident tied to a software vendor exposed records on nearly 28 million Texas drivers, and breaches often compound when criminals combine data from multiple leaks. Large-scale credential and identity dumps continue to surface, as seen in a recent find of 24 billion exposed credentials, and third-party vendors remain a recurring weak point, much like the supplier compromise behind the Klue Salesforce data theft.
What affected people should do
TPWD is offering one year of free credit monitoring through Kroll, with enrollment closing September 14, 2026. If you bought a Texas hunting or fishing license, consider freezing your credit with Equifax, Experian, and TransUnion to make it harder for thieves to open accounts in your name, and enroll in the monitoring before the deadline. Be especially wary of phishing messages referencing TPWD, fishing or hunting licenses, or the breach itself, and treat any unexpected request to verify your driver's license, passport, or other personal details as suspicious. Details of the disclosure are available in the breach reporting.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.