The Texas Department of Public Safety was duped into shipping at least 3,000 Texas driver's licenses to a Chinese organized crime group that targeted Asian Texans, DPS Director Steve McCraw told a Texas House committee on Monday.
The crime group worked through the state's government portal, Texas.gov. The agency, which discovered the security breach in December, will begin notifying victims in letters to be sent out this week, the DPS chief said. More victims are still being identified, he said.
"We're not happy at all, I can tell you that, one bit," McCraw said in testimony to a House Appropriations subcommittee. "They should have had — controls should have been in place, and they never should have happened."
The crime organization, which McCraw did not name, was able to get its hands on the Texas driver's licenses by first pulling personal data on individuals with Asian surnames from the "dark web" and other underground data-trading portals.
That info, including previous addresses and family names, allowed thieves to correctly answer password security questions on the Texas.gov site and use stolen credit cards to order duplicate copies of active licenses — such as those ordered by people who misplace their licenses or report them stolen. A replacement license costs $11.
The state-run Texas.gov site is the central portal for Texans wanting to renew licenses, obtain driving records and registration, and obtain birth and death certificates, among other things.
The investigation into the stolen driver's licenses spans at least four states and also involves fraudulent licenses duplicated from victims in other states as well as Texas. The FBI and the Department of Homeland Security are also investigating, according to the DPS letter to lawmakers.
House Appropriations Vice Chair Mary González, an El Paso Democrat, blasted DPS agency chiefs for letting so much time lapse while Texans were unaware that their identities were being used fraudulently.
"Somebody could be going around as Mary González right now for two months, and nobody's been notified, I [wouldn't have been] notified," González said.
DPS officials are not calling the incident a "data breach" because they say no hacking was involved and vast amounts of data were not being stolen. Instead, the crime group used data obtained from underground sources to bypass a simple password security system — laying bare a security vulnerability that "should never have happened," McCraw said.
Texas.gov is operated not by DPS, but by the Texas Department of Information Resources.
DPS officials declined to provide details about the security loophole that left the site open to fraud but told lawmakers that it had been closed.
DIR spokesperson Brittney Booth Paylor dismissed the notion that the incident was a cybersecurity breach, calling it "a case of fraudulent criminal activity based on factors unrelated to state systems."
In an email to The Texas Tribune, Paylor explained that before the fraudulent activity took place, state agencies had the option to require the security (CVV) code and ZIP code for every credit card transaction that goes to their agency on Texas.gov.
She stopped short of saying that was the weak spot used by the criminals and declined to specify whether the DPS had put the practice in place. DPS officials declined to comment further, citing the investigation.
DPS declined to discuss specific details of the investigation in the hearing, including whether arrests had been made in connection with the Texas thefts, but in a letter to lawmakers, McCraw said "several subjects have been identified in this criminal enterprise."
The criminal operation had not been made public before Monday's hearing.
DPS officials also did not specify or speculate whether the thieves could have used the password login scheme to obtain other things, like birth certificates.
The problem was first detected in December when a third-party Texas.gov payment vendor "alerted DPS to an increase in customers challenging credit card charges for online transactions," according to a February letter sent to lawmakers from the DPS. The credit cards used to buy the fraudulent copies were also stolen, authorities said.
Before investigators shut down the operation, McCraw said, the license thieves were able to use the site, billed as "the official website of the State of Texas," to obtain driver's licenses that are "Real ID compliant" — not cheap copies, McCraw said.
These stolen licenses can pass verification methods and be used fraudulently all over the country because they are real driver's licenses being used by people who can pass for the photo on the original card, McCraw said.
González also asked whether the fact that Asian Americans were being targeted would constitute a hate crime.
McCraw, without committing either way, said they appeared to be targeted because their names and photos would most closely resemble the people the syndicate would be selling the licenses to, according to what the agency's investigation has uncovered so far.
Letters set to go out to affected Texans this week explain that if they suspect their ID is being used fraudulently, their cases will be given priority status. Also, the department will send affected licensees replacement licenses free of charge.
This article originally appeared in The Texas Tribune at https://www.texastribune.org/2023/02/27/texas-drivers-license-theft-dps/. The Texas Tribune is a member-supported, nonpartisan newsroom informing and engaging Texans on state politics and policy. Learn more at texastribune.org.