Millions of Texas hunters and anglers who purchased licenses online may now find their driver license numbers, passport numbers, and home addresses in unauthorized hands — the result of a breach affecting TPWD’s vendor-run license sales platform. Texas Cyber Command detected the incident, which potentially exposed data for more than 3 million customers, according to the department.
The exposed categories include:
- Driver license information
- Passport numbers
- Residential addresses
- Phone numbers
- Email addresses
Social Security numbers, credit cards, and financial data were not obtained. That’s a meaningful distinction — but a passport number paired with a home address is still plenty of raw material for identity fraud.
A Vendor Problem With a Long Paper Trail
The paper trail connecting this breach to a long-running third-party contract is surprisingly short.
TPWD hasn’t publicly named the compromised vendor. The breadcrumbs, however, aren’t hard to follow. Public contract records on TPWD’s own website list Gordon-Darby Inc. under a $40.1 million contract for “License Sales System Implement,” contract number 420614-1. Gordon-Darby’s own materials confirm the company won the TPWD contract in March 2012 and launched the Texas License Connection platform — the system operating at txfgsales.com — in October 2013. That’s over a decade of citizen data flowing through one specialized vendor’s infrastructure, spanning more than 1,700 retail locations statewide. These are the kinds of tech scandals that emerge when legacy contracts go unexamined for years.
Texas has been modernizing elsewhere. Boat registration already moved onto TxT, the state’s centralized digital assistant, developed in collaboration with the Department of Information Resources. Hunting and fishing licenses remain parked on the legacy vendor platform — the one now under investigation. Old plumbing, new paint.
What This Means for You Right Now
Anyone who purchased a license through Texas License Connection faces a specific combination of risks that shouldn’t be minimized.
The combination of government-issued ID numbers, contact details, and physical addresses creates real exposure for targeted phishing, identity fraud, and account takeover attempts — even without financial data in the mix. Privacy and identity-theft experts consistently flag driver license and passport numbers as high-value targets precisely because they unlock verification systems across multiple platforms. TPWD reports no minors were affected and no specific group was singled out. Scattered data, though, doesn’t need a target to cause damage.
TPWD says it’s working with the vendor to implement “new safeguards and enhanced monitoring” and confirms license sales will continue on schedule for August. Installing a deadbolt after someone already kicked the door in is technically a security improvement. Whether it’s sufficient is a separate question entirely.
The structural problem remains unsolved. When sensitive citizen data lives inside a twelve-year-old vendor system operating outside centralized state cybersecurity oversight, breaches stop being surprises and start being math. If you’re among those affected, monitor closely for suspicious emails, calls, or physical mail that reference your personal details. Phishing attempts rarely announce themselves.
