28 Million Texas Drivers Caught in Payment Vendor Breach

28 Million Texas Drivers Caught in Payment Vendor Breach
A third-party payment processor handling transactions for Texas.gov exposed the personal records of approximately 27.7 million Texas drivers, according to the Texas Department of Public Safety. The compromised data included driver's license numbers, home addresses, dates of birth, and vehicle registration history. The Texas Department of Public Safety's own computer systems were not penetrated.
The vendor detected the breach in December 2022 after spotting unusual spikes in customer account activity. That kind of detection—a surge in transaction volume or login attempts—often surfaces through billing records before more sophisticated monitoring tools pick it up. The fact that the breach occurred at the vendor's location rather than DPS itself is technically important, but it matters less to those affected.
From the perspective of someone whose personal details are now in circulation, where the data left from is less relevant. A stolen driver's license number, home address, and birth date can be used just as effectively for identity fraud, targeted phishing emails, or building fake identities, regardless of which company's servers the data came from.
The scale of this breach covers a significant portion of Texas's adult population. Driver's license numbers combined with addresses and dates of birth are valuable because together they answer the "knowledge-based" security questions that banks, government websites, and insurance companies use to verify your identity. Any single piece of that information would be relatively low-risk on its own. Together, they give someone the pieces needed to impersonate you in financial systems.
Government agencies across the country increasingly rely on outside vendors to handle sensitive tasks—processing payments, verifying identities, managing documents. Each of these outside connections expands the risk surface that an agency faces. A government department can invest heavily in its own cybersecurity and still end up vulnerable through vendors who handle real transactions on its behalf. The Texas breach is a clean example of this structural problem: DPS protected its own systems well, but the exposure happened in a contracted layer beyond its direct control.
How the vendor detected this breach is worth thinking about. It caught the problem through billing anomalies and unusual account activity counts—not through advanced intrusion detection tools or security logs. This detection method is common in practice, but it raises a practical question for practitioners: what monitoring responsibilities do state agencies actually require of their payment processors. Did the contract ensure that suspicious activity would be spotted quickly, or did the vendor operate its monitoring system in isolation, only telling DPS when it decided to report.
DPS has published guidance for affected individuals at its driver license security incident page. The standard protective steps apply: freeze your credit with the three major bureaus, watch for suspicious new accounts opened in your name, and watch for phishing emails that reference details they now know about you. Because this dataset is rich and personal, phishing attacks could be tailored specifically to sound convincing.
State agencies currently reviewing their vendor relationships should study what happened in Texas. The important question is not whether a vendor has standard security certifications on file, but whether the real-time monitoring signals—transaction volumes, API activity, unusual access patterns—flow into a shared detection system with the agency itself, or stay locked within the vendor's operation center, invisible until the vendor decides to send a notice.


