DALLAS — Texas.gov bills itself as the “official website of the state of Texas.”
It was not hacked and did not suffer a breach.
But, it did fall victim to fraud.
Texas Department of Public Safety Chief Steve McCraw said an “Asian organized crime group” was able to find personal data belonging to thousands of Texans of Asian descent on the dark web.
McCraw said those criminals then used that data to create accounts on Texas.gov – where official driver’s licenses can be renewed, or a replacement can be ordered.
DPS said it mailed at least 2,400 replacement driver’s licenses to what it now believes are members of that organized crime group.
The group, according to DPS, could then sell those licenses to Chinese nationals who are illegally in the country and desperate to have some sort of valid identification.
During a hearing of the Texas House subcommittee on appropriations that is responsible for the agency’s budget, DPS said it would begin notifying victims through letters this week.
The Texas attorney general’s website has an entire page explaining what to do if your identity is stolen.
Among other tips, it suggests:
- Calling the fraud departments of accounts that have been compromised
- Contacting major credit reporting agencies to ask that a free fraud alert be placed on a credit report
- Changing passwords and pins for all potentially compromised accounts.
In bold type, the page reads, “If your identity has been stolen, it is critical that you act quickly to minimize any damage.”
But DPS did not act fast enough to notify victims, said state Rep. Mary González, a Democrat from the El Paso area who chairs the appropriations subcommittee.
When she questioned McCraw about the fraud during a Monday hearing, it was the first public acknowledgement of any problem.
DPS detected the fraud in late 2022.
“It could be my driver’s license and right now someone could be going around as Mary González for two months and nobody’s been notified,” González asked.
DPS said a multi-jurisdiction investigation remains open with the FBI, Department of Homeland Security and three other states that have also fallen victim.
DPS does not operate Texas.gov – that falls under the Department of Information Resources.
But DPS said the criminal organization was able to order replacement licenses because Texas.gov only used ideology-based security questions to verify someone’s identity.
DPS said answers to those questions, like a mother’s maiden name or a previous street address, are among the personal data easily available on the dark web.
In an emailed statement, the Department of Information Resources said this was “a case of fraudulent criminal activity based on factors unrelated to state systems, not a cybersecurity incident. No state systems, including the state’s portal, were hacked or breached.”
Spokesman Brittney Booth Paylor added that Texas.gov and the payment processing portal is requiring additional security measures such as the CVV, which is the code on the back of a credit card, and billing zip codes.
But Paylor declined to answer when asked to clarify if those additional security measures were in place in late 2022 when the fraud was detected.
Because the investigation remains open, more than that 2,400 victims could still be identified.
“The reality is there was a loophole or a lapse in our system and that’s what we’ve found so far,” González told WFAA in an interview after the hearing. “I think this is the beginning of a larger conversation.”
González said she’s concerned about what happened on a number of levels, but the fact that the fraud was detected months ago and no one was notified is high on the list.
“Nobody knows who they are and they have every right to know,” she said.
“DPS has a significant amount of funds and has really no reason to have this kind of problem. So, we’re going to make sure the agency uses its funding it already has appropriated to take care of Texans.