AUSTIN, Texas — The state shipped thousands of Texas driver's licenses to an international organized crime group in a security lapse that is still under investigation, Department of Public Safety Chief Steve McCraw said Monday.
The Department of Public Safety has identified at least 3,000 Texans who have been affected and is investigating more potential cases, department officials told House budget writers during a hearing Monday. Texans of Asian descent were targeted by what McCraw described as “a Chinese organized crime group based in New York working in a number of different states.”
“We’re not happy at all,” he told the lawmakers. “Controls should have been in place and this should have never happened.”
The agency is working with federal agencies, McCraw said, and the investigation spans at least four states, and other states have also been similarly targeted. It’s not clear when the investigation will be completed.
No state systems were hacked, officials said. Instead, the criminal actors were able to fraudulently obtain the licenses in a scheme McCraw described this way: Personal data about Texans of Asian descent was obtained on the dark web, including credit card and personal information, and then used to request replacement driver’s licenses from the state using the data. The group specifically targeted Asians of various backgrounds with the hopes of finding “look-alikes” to match with Chinese nationals here in the country illegally, he said.
McCraw did not identify the alleged criminal organization by name.
While DPS issues licenses, they are ordered through a portal operated by a separate agency, the Texas Department of Information Resources. At least 4,000 fraudulent accounts were created and 2,400 licenses were shipped to “third-party addresses,” according to a letter from DPS notifying legislators of the problem.
DPS first learned about the problem at the end of last year but had not yet notified affected Texans because they have been working on the criminal investigation and apprehending those responsible, McCraw said, some of whom he said have been arrested.
The decision drew criticism from state Rep. Mary González, who pointed out that thousands of Texans could have been impersonated for months without their knowledge.
“The number one thing we have as a government agency, as government folks, is trust. And when we lose that trust by not thinking through, it’s difficult to rebuild that trust with the people,” the El Paso Democrat said, adding that the agency needed to be shepherding affected Texans through ensuring their identities are protected.
Rep. Mano DeAyala, R- Houston, raised concerns about how the driver licenses from Texas could be used to get IDs from other states.
“We don’t want to be that weak link,” he said.
Jeoff Williams, DPS Deputy Director Law Enforcement Services, told lawmakers the bad actors did not breach the state’s system, but rather exploited existing security vulnerabilities in the online portal.
Texans looking to log into the license system had to provide an audit number on their driver license or answer a series of questions about themselves, such as previous addresses or their mother’s maiden name. The bad actors were able to find those personal details on the dark web to gain access to Texans’ accounts, Williams said.
In order to pay for the replacement, the system only required a credit card number, but not the billing zip code or the three-digit code on the back on the card, known as a CVV, he added. Williams said the department asked the Department of Information Resources and the agency’s vendor to address those issues.
“We’ve eliminated some of those vulnerabilities by doing those things,” Williams said.
In a statement, DIR reiterated no state systems were hacked and this was a “case of fraudulent criminal activity based on factors unrelated to state systems, not a cybersecurity incident.”
DIR oversees the state’s online infrastructure, but state agencies set the security features on their individual applications hosted by Texas.gov, spokesperson Brittney Booth Paylor said in a written statement.
After this incident, Paylor said DIR now requires credit card features like CVV or zip code authentication for all transactions.
———
