More than 3 million Texans who have bought hunting or fishing licenses may have had some of their personal information exposed after a cybersecurity incident tied to the Texas Parks & Wildlife Department's licensing system, officials disclosed Thursday. The issue stems from a third-party vendor that manages license sales, and investigators say certain government ID numbers and contact information may have been accessed.
In a notice on its website, the agency said Texas Cyber Command detected the incident and that an unauthorized actor "may have obtained" driver’s license data, passport numbers (if provided), email addresses, phone numbers, and residential addresses for more than 3 million customers, according to TPWD. The department says it is working with the license system vendor to tighten security, and that license sales will still roll out as planned for August and the next license year. TPWD also pointed out that many of its own staff, who hunt and fish themselves, are caught up in the breach.
According to the same notice, "There is no evidence that customers under the age of 18 were involved," and investigators do not believe Social Security numbers, dates of birth or any financial information, including credit card details, were accessed in this incident, per TPWD. Even so, the agency is urging customers to take common identity theft precautions while the probe and extra monitoring continue.
To help limit the fallout, TPWD is offering one year of free credit monitoring through Kroll for affected customers. People who think they might be impacted can check eligibility and sign up through a dedicated call center at (844) 959-7123. The agency has set an enrollment deadline of Sept. 14, 2026, and is warning customers to monitor financial accounts, watch for phishing attempts and consider freezing their credit, as reported by ABC13. The call center operates on weekdays from 8 a.m. to 5:30 p.m. Central time, according to the notice.
Why Vendors Are Now The Primary Target
Cybersecurity analysts say attackers are increasingly aiming at third-party vendors because a single break-in can expose data on millions of people in one shot. That pattern has shown up in several high-profile vendor hacks this year, highlighting how public agencies can be pulled into the blast radius when they lean on private platforms, according to Inside Higher Ed.
Legal Duties And What This Could Mean
Texas law requires that any organization notify the Office of the Attorney General when a breach affects 250 or more residents, and the AG's guidance lays out strict timelines and consumer protection rules. That setup means TPWD or its vendor will have formal reporting duties and could face additional follow-up based on what investigators ultimately uncover, according to the Office of the Attorney General.
For now, anyone who has purchased a Texas hunting or fishing license is being urged to read TPWD's incident notice, review the Kroll enrollment information, and keep a close eye on bank and credit card statements for anything suspicious. The department's dedicated call center is still the quickest way to confirm eligibility for the free monitoring offer and to get answers about what to do next.
