Texas Parks and Wildlife Vendor Breach Exposes Driver’s Licences and Passports of Over 3 Million Residents
What Happened — Hackers compromised a third‑party vendor that processes data for Texas Parks and Wildlife, leading to the exposure of driver’s licence and passport numbers belonging to roughly 3 million licence holders.
Why It Matters for Compliance & Audit Readiness
- Highlights the risk of inadequate vendor‑risk management, a core SOC 2 CC6 control area.
- Demonstrates the need for continuous monitoring evidence to prove due‑diligence in audits.
- Reinforces the importance of contractual breach‑notification and audit‑rights clauses with third‑party providers.
Who Is Affected — Texas Parks and Wildlife (state agency) and the 3 million Texas residents whose personal identification data was exposed.
Recommended Actions — Conduct a SOC 2‑aligned vendor risk assessment, require continuous compliance evidence from the vendor, update contracts with breach‑notification clauses, and map the incident to CC6 controls for audit evidence. Source: HackRead
Technical Notes — Attack vector involved a compromise of a third‑party service handling personal identification data; no specific CVE disclosed. Exfiltrated data included driver’s licence numbers and passport numbers. Source: HackRead