Cyber Incident Victim: Texas Parks & Wildlife
Date:
Jun 2026
Location:
United States of America
Summary
The Texas Parks & Wildlife Department experienced a data breach after attackers gained unauthorized access to a third‑party vendor system that processes hunting and fishing license transactions. The compromise exposed driver’s license numbers, passport numbers, email addresses, phone numbers and residential addresses of over three million individuals. Investigators found no evidence of malware, ransomware or phishing, and the attack was classified as a supply chain compromise with no threat actor identified. The incident prompted regulatory review and public notification efforts concerning the exposed personal data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 13, 2026, the Texas Parks & Wildlife Department notified Texas Cyber Command after discovering a breach involving an unnamed third-party vendor that processes hunting and fishing license transactions. The breach had been initially detected by the state’s cybersecurity unit. On June 12, 2026, the department published a Notification of Data Security Incident. On June 18, 2026, the breach was publicly disclosed, confirming that over three million individuals were affected. Additional technical and news coverage on June 19, 2026, corroborated the scope and impact of the breach.
The breach resulted from unauthorized access to a third‑party vendor system that stored driver’s license numbers, passport numbers, email addresses, phone numbers, and residential addresses for license holders. No malware, ransomware, or phishing campaigns were involved in the compromise. The attacker gained direct access to the vendor’s information repositories, extracting the personal data tied to hunting and fishing license transactions. Mapping the incident to the MITRE ATT&CK framework, the initial access aligns with technique T1195 (Supply Chain Compromise), collection with T1213 (Data from Information Repositories), and exfiltration with either T1041 (Exfiltration Over C2 Channel) or T1030 (Data Transfer Size Limits), although the exact exfiltration method was not disclosed. As of June 19, 2026, no group or individual had claimed responsibility and no technical indicators of compromise such as file hashes or malware signatures had been published.
Driver’s license and passport numbers are highly valuable for identity theft and fraud, and the inclusion of contact information increases the risk of targeted phishing and social engineering attacks against affected individuals. The Texas Attorney General’s Office confirmed the requirement for public disclosure and notification to affected individuals, and the breach is listed on the agency’s Data Security Breach Reports portal. Historically, supply chain and third‑party vendor compromises have been a recurring threat in the public sector, with incidents such as the SolarWinds breach of 2020 and the Accellion FTA attacks of 2021 illustrating similar risks. No further details about the vendor’s software versions or the precise dates of initial compromise were disclosed in the reporting.