Texas Parks & Wildlife: 3.08M licence holders exposed via an unnamed third-party vendor — with a public-vs-AG-filing SSN contradiction
From CTI Daily Brief — 2026-06-21 · published 2026-06-21 · view item permalink →
The Texas Parks and Wildlife Department disclosed on 2026-06-18/19 that a breach at an unnamed third-party vendor handling hunting and fishing licence sales exposed 3,087,721 customers' names, driver's-licence numbers, passport numbers, email addresses, phone numbers and residential addresses (BleepingComputer, 2026-06-19). The Texas Cyber Command flagged the intrusion (reported 13 May). TPWD's public statement said Social Security numbers were not involved — but The Register reviewed the agency's own filing to the Texas Attorney General's breach portal and reports it contradicts that, indicating SSNs were included (The Register, 2026-06-19). The vendor remains unnamed; Kroll is providing credit monitoring.
Defender takeaway: A government agency that minimised breach scope in its public notice while its regulator filing shows broader exposure is the operationally instructive part. Public-sector bodies contracting licence/registry SaaS — including Swiss cantonal systems — should require contractual breach-notification timelines, SOC 2 Type II attestation, and segmentation guarantees on the licence database, and should reconcile public statements against regulator filings before publishing.