THE Texas Parks and Wildlife Department has disclosed a data breach that exposed roughly three million records after a third‑party vendor handling licence sales was compromised (see the department’s notice).
SecurityAffairs reports that the compromised data included email addresses, physical addresses, phone numbers, driver’s licence details and passport numbers, while social security numbers and financial information were not accessed (read more).
TPWD first noticed the incident on 22 June 2026 and has since been working with the vendor to secure the environment and improve controls (SecurityWeek coverage).
As a precaution, the department is offering affected individuals one year of free credit monitoring and advising them to review account statements for any unusual activity.
Security analysts note that the breach highlights the ongoing risk posed by third‑party service providers and highlights the need for rigorous vendor risk management, including regular security assessments and strict data‑handling clauses.
Organisations should enforce multi‑factor authentication on vendor accounts, limit the personal data shared to what is strictly necessary and monitor third‑party access for anomalous behaviour; individuals receiving notices should consider placing a fraud alert on their credit files and remain wary of unexpected emails or texts that request personal details.