Hackers Access Third‑Party Vendor, Exposing Passport and Driver’s License Data of 3 Million Texans
What Happened — Hackers breached a third‑party vendor that processes hunting and fishing licenses for the Texas Parks and Wildlife Department (TPWD). The attackers exfiltrated personal information for 3,087,721 Texans, including driver’s license numbers, passport numbers, email addresses, phone numbers, and residential addresses. TPWD has not disclosed the vendor’s identity or the exact method of compromise.
Why It Matters for Compliance & Audit Readiness —
- A vendor‑management failure directly violates SOC 2 criteria for security and privacy, highlighting the need for documented due‑diligence and continuous monitoring of third‑party controls.
- The breach demonstrates the importance of maintaining audit‑ready evidence (e.g., vendor SOC 2 reports, monitoring logs) to prove that vendor risk is being actively managed.
- Continuous‑compliance programs must include breach‑response procedures that cover third‑party incidents, ensuring timely notification and remediation.
Who Is Affected — State government agencies, public‑sector vendors handling citizen identity data, and any organization that outsources processing of personally identifiable information (PII).
Recommended Actions —
- Map the vendor to your SOC 2 vendor‑management controls (CC6.1) and verify that a recent SOC 2 or equivalent attestation exists.
- Deploy continuous security monitoring of the vendor’s environment to capture real‑time evidence of control effectiveness.
- Update incident‑response playbooks to incorporate third‑party breach scenarios and conduct tabletop exercises.
- Notify affected individuals per state breach‑notification laws and provide guidance on identity‑theft protection. Source: Malwarebytes Labs
Technical Notes — The breach was disclosed via a TPWD public statement; the exact attack vector (e.g., credential theft, misconfiguration) was not disclosed. Data types potentially exposed include driver’s license numbers, passport numbers, email, phone, and address; some reports also list Social Security numbers, though TPWD later denied their inclusion. Source: Malwarebytes Labs