CybersecurityCybersecurity NewsGovernment: Federal, State and Local

Security Leaders Discuss Texas Hunting, Fishing License Data Breach

By Rachelle Blair-Frasier, Editor in Chief

Person holding fishing pole — Photo by Clark Young on Unsplash

The Texas Parks and Wildlife Department (TPWD) reported that the personal information of more than three million Texas hunting and fishing license customers may have been affected by a recent data breech.

According to a notification on the department's website, the Texas Cyber Command recently detected a cybersecurity incident involving the TPWD license system vendor that handles the sale of hunting and fishing licenses.

According to the report, the investigation revealed that an unauthorized actor may have obtained personal information - including driver license information, passport numbers, email addresses, phone numbers and residential addresses for more than 3 million Texas hunting and fishing license customers. However, Social Security numbers, dates of birth and financial information, including credit card details were not obtained from this incident. The notification also stated that there was no evidence that customers under the age of 18 were involved or that any specific group was targeted.

Here, some security leaders share their thoughts on the incident.

“It's no surprise that TPWD used an external contractor for this. That's incredibly common among local and state agencies since it's usually far cheaper to outsource this than to build and maintain their own IT systems," says Jake Williams: former NSA hacker, Faculty at IANS Research, a Boston-based cybersecurity research and advisory firm. "I actually work with one of the largest companies providing these services to state and local government agencies in the US (not the one implicated in this breach). I can tell you first hand that the complexity in these systems is absolutely wild. Often the provider wants to do the right thing for security, but the government agency requires some security downgrade to be compatible with their other systems (usually because they're legacy or outdated).

"It won't surprise me at all to see other state wildlife licensing platforms being targeted. Many will use similar software and interfaces to outsourcing vendors. Threat actors will take the lessons they learn from the Texas attack to make future attacks more successful.”

"Breaches like this don't end at the point of exposure. When driver's license numbers and passport data hit the market, they become fuel for account takeover, synthetic identity fraud, and targeted phishing at scale," says Kevin Gosschalk, founder and CEO Arkose Labs a fraud prevention and digital trust company and author focused on trust, AI, and the future of human-machine decision-making. "The victims here aren't just the three million Texans whose data was taken — they're anyone whose accounts those credentials get used to access next. Organizations need to assume this data is already in circulation and act accordingly."

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Rachelle Blair-Frasier is Security magazine’s Editor in Chief. Blair-Frasier handles eMagazine features, as well as writes and publishes online news and web exclusives on topics including physical security, risk management, cybersecurity and emerging industry trends. She helps coordinate multimedia content and manages Security magazine's social media presence, in addition to working with security leaders to publish industry insights. Blair-Frasier brings more than 15 years of journalism and B2B writing and editorial experience to the role.