Texas loses 3 million hunters' and anglers' data — through a vendor they never chose

Cybersecurity 4 min 33 sources

A third-party license seller for Texas Parks & Wildlife was breached, exposing driver's license and passport numbers for 3 million people, alongside a wave of breaches that all began at a supplier rather than the named company.

Key takeaways

Texas Parks & Wildlife disclosed a breach exposing data on 3 million license-holders — but the break-in happened at a third-party vendor, not the agency itself.
Driver's license and passport numbers were taken; Social Security numbers and financial data were not.
The same pattern hit cybersecurity firms via the Klue supplier breach and Fortinet customers via FortiBleed — the named company often isn't where the breach began.
You can't audit a vendor you never chose, but a credit freeze and multi-factor authentication blunt the damage when one fails.

If you bought a hunting or fishing license in Texas, your data may now be in a stranger’s hands — and the company that lost it isn’t one you ever heard of. The Texas Parks and Wildlife Department (TPWD), the state agency that runs the parks and licenses, disclosed a breach affecting roughly 3 million people [5]. The hackers didn’t break into the agency. They broke into the third-party vendor TPWD hired to sell the licenses [5].

What was taken, and what was spared

The stolen data covers people who bought hunting and fishing licenses: email addresses, physical addresses, phone numbers, driver’s license details, and passport numbers [5]. That last pair matters — a driver’s license number and a passport number are exactly what an identity thief needs to open accounts or pass a verification check in someone else’s name.

The agency says the worst categories were spared: no Social Security numbers, no dates of birth, no credit card or financial data [5]. There’s no sign that minors or any specific group were targeted [5]. License sales kept running through the incident [5]. TPWD learned of it from the Texas Cyber Command, the state’s cyber-defence unit, and says it has tightened access controls and will add more security features [5].

Two things are still unknown, and they’re material. The vendor’s name hasn’t been released, and no one knows who carried out the attack [5]. So the 3 million people affected can’t easily tell who held their data or who has it now.

The same shape, three times this week

The Texas breach isn’t a one-off pattern. It’s this week’s version of a structure showing up everywhere: the company whose name is on the breach often isn’t where the breach began.

Several firms — including the cybersecurity companies Huntress, Recorded Future, Jamf, Tanium, Snyk, HackerOne, and OneTrust — disclosed they were hit through a breach at Klue, a business-intelligence supplier they all used [4][7]. An intruder got into Klue’s systems via an old, leftover login, then stole OAuth tokens [4]. An OAuth token is a digital key that lets one app reach your data on another service without a password — handy until it’s stolen, at which point the thief can act as you. The attackers used those keys to impersonate Klue inside the firms’ Salesforce accounts and pull out customer data [4]. The firms’ own products weren’t touched; the damage came in through a tool they’d plugged in [4]. Recorded Future’s takeaway was blunt: the incident “underscores the critical need for continuous monitoring of third-party integrations” [4].

Then there’s FortiBleed. Security researchers found a database of around 75,000 stolen logins — usernames, emails, and plaintext passwords — taken from customers of Fortinet’s firewalls and VPN gateways [2]. The exposed accounts span 194 countries and big names like Oracle, Spotify, Toyota and AT&T [2]. Roughly half of all internet-facing Fortinet firewalls may have leaked credentials this way [2]. The attackers ran an estimated 1.16 billion password guesses against more than 320,000 Fortinet targets [2]. The UK’s National Cyber Security Centre (NCSC), Britain’s cyber-defence agency, urged affected organisations to isolate the devices, factory-reset them, and turn on multi-factor authentication — a second check beyond the password [2].

Why “your vendor’s vendor” is the weak point

In each case, the people who pay weren’t the people who chose. A Texan buying a fishing license never picked TPWD’s licensing vendor — couldn’t audit it, couldn’t switch it, didn’t know it existed. Klue’s customers chose Klue, but their customers further down the line didn’t. This is how a breach travels through a chain of suppliers most of us can’t see.

There’s a quieter unease running alongside all this. A rare joint statement from the Five Eyes intelligence alliance — the US, UK, Canada, Australia and New Zealand — warned that advanced AI models capable of serious cyberattacks may be only months away [16][20]. That’s a forecast, not an incident, and worth filing as such. But it raises the stakes on the basics: the breaches above all turned on stale credentials, missing second-factors, and unwatched integrations — the exact things faster attackers would exploit first.

What an ordinary person can do

You can’t fix a vendor you’ve never heard of. But you can blunt the damage. If you bought a Texas hunting or fishing license, watch for scam emails and texts that reference it — thieves use stolen addresses and phone numbers to make their lures look legitimate. Consider a credit freeze if you’re worried about the driver’s license and passport exposure; it’s free and blocks new accounts in your name. And anywhere you can, turn on multi-factor authentication — most of this week’s breaches would have been far smaller if a stolen password alone hadn’t been enough.

02 · Lesson · why it matters

When the one who decides isn't the one who pays

A risk feels cheap to whoever makes the choice but never bears the cost — so the choice gets made again.

A decision you were never part of

A Texan walks into a sporting-goods store, buys a fishing license, and hands over a driver’s license number to prove who they are. Months later, a stranger has that number, along with their address and passport details. Somewhere between the counter and the breach sat a company the buyer never heard of — a third-party vendor the state agency hired to run license sales.

The buyer made one decision: get a license. They did not choose the vendor, did not see its security, could not have switched to a safer one, and will never learn its name. Yet the cost of its failure — years of watching for fraud — lands squarely on them. The agency that picked the vendor keeps its job. The vendor that lost the data is still in business. The person who absorbs the risk had no say in the choice that created it.

The price you don’t feel, you keep paying

Economists have a plain name for this gap: an externality. When you make a choice and someone else pays for it, the price never reaches you. And a price you don’t feel is a price you’ll happily incur again.

This is the engine underneath so many breaches. A company decides to plug in a handy outside tool — a sales-intelligence app, a license processor, a firewall it forgot to lock down. The convenience is immediate and lands on the decider. The risk is delayed and lands on someone downstream — a customer, a citizen, the customer’s customer. From where the decision is made, the tool looks free. The bill is real, but it’s mailed to a different address.

The chain hides the bill

What makes this hard to see is that the cost travels through links most people can’t observe. The cybersecurity firms breached this week — Huntress, Recorded Future, Jamf, Tanium and others — chose to use a supplier called Klue. Their own customers never chose Klue; many never knew it existed. When Klue was breached and stolen digital keys were used to impersonate it inside the firms’ systems, the exposure flowed one more link down the chain, to people two steps removed from any decision they could have influenced.

Each company in the chain made a choice that was cheap for itself and quietly risky for whoever sat below it. Recorded Future’s own conclusion named the blind spot exactly: third-party integrations with access to sensitive data need continuous watching. That’s another way of saying the decider rarely feels the weight of a tool it’s stopped looking at.

Why the same mistake repeats

Once you see the pattern, the repetition stops being surprising. The Fortinet credential leak turned on devices left exposed with weak passwords. The Klue break-in started with an old login nobody had retired. The Texas breach rode in through a vendor whose security the agency didn’t have to live inside. None of these were exotic. They were the cheap, convenient default — chosen by someone who wouldn’t carry the consequence.

A risk only gets priced when the chooser pays. When the cost is exported down a chain, the chooser sees a bargain, repeats it, and the bargain keeps shipping its bill to strangers. That’s not a moral failing in any one company. It’s what happens when incentives and consequences live at different addresses.

Where we all sit in this

It’s tempting to read this as other people’s carelessness. But the same structure runs through ordinary life. We accept a free app’s terms without reading who it shares data with. We let one company’s login work everywhere because it’s convenient, so one breach becomes five. We trust that the agency, the bank, the store has vetted the suppliers behind it — because checking would be our cost, and not checking feels free until it isn’t.

Seeing the whole here doesn’t make you clever. It makes you a little more careful about the choices whose bills you can’t see — and a little more sympathetic to the people downstream of choices you’d never have known to question. The fix isn’t outrage at one vendor. It’s noticing that risk stays cheap exactly where no one has to feel it, and that the quiet defences — a second login check, a frozen credit file, a closed-down old account — are how a person catches a bill that someone else decided to send.

03 · Lab · your turn

Follow the bill

Trace your data down a chain of vendors and see who actually pays when a link breaks versus who made the choice.

04 · Hope · carry this

The same chains that quietly carry a risk also carry a fix: a state cyber unit catching the breach, an agency tightening its controls, a researcher mapping who's exposed so people can act. Once you can see where a hidden cost lands, you can finally do something about it — and a frozen credit file or a second login check is a real defence you hold in your own hands.