From The Texas Tribune:
The Texas Department of Public Safety was duped into shipping at least 3,000 Texas driver’s licenses to a Chinese organized crime group that targeted Asian Texans, DPS Director Steve McCraw told a Texas House committee on Monday.
The organization was then selling the licenses, obtained using the personal information of Texas drivers, to people in the country illegally, McCraw said.
The fraudsters worked through the state’s government portal, Texas.gov. The agency, which discovered the scheme in December, will begin notifying victims in letters to be sent out this week, the DPS chief said. More victims are still being identified, he said.
“We’re not happy at all, I can tell you that, one bit,” McCraw said in testimony to a House Appropriations subcommittee. “They should have had — controls should have been in place, and they never should have happened.”
The crime organization, which McCraw did not name, was able to get its hands on the Texas driver’s licenses by first pulling personal data on individuals with Asian surnames from the “dark web” and other underground data-trading portals.
That info, including previous addresses and family names, allowed thieves to correctly answer password security questions on the Texas.gov site and use stolen credit cards to order duplicate copies of active licenses — such as those ordered by people who misplace their licenses or report them stolen. A replacement license costs $11.
The state-run Texas.gov site is the central portal for Texans wanting to renew licenses, obtain driving records and registration, and obtain birth and death certificates, among other things.
The investigation into the stolen driver’s licenses spans at least four states and also involves fraudulent licenses duplicated from victims in other states as well as Texas. The FBI and the Department of Homeland Security are also investigating, according to the DPS letter to lawmakers.
House Appropriations Vice Chair Mary González, an El Paso Democrat, blasted DPS agency chiefs for letting so much time lapse while Texans were unaware that their identities were being used fraudulently.
“Somebody could be going around as Mary González right now for two months, and nobody’s been notified, I [wouldn’t have been] notified,” González said.
DPS officials are not calling the incident a “data breach” because they say no hacking was involved and vast amounts of data were not being stolen. Instead, the crime group used data obtained from underground sources to bypass a simple password security system — laying bare a security vulnerability that “should never have happened,” McCraw said.
Texas.gov is operated not by DPS, but by the Texas Department of Information Resources.
DPS officials declined to provide details about the security loophole that left the site open to fraud but told lawmakers that it had been closed.
DIR spokesperson Brittney Booth Paylor dismissed the notion that the incident was a cybersecurity breach, calling it “a case of fraudulent criminal activity based on factors unrelated to state systems.”
In an email to The Texas Tribune, Paylor explained that before the fraudulent activity took place, state agencies had the option to require the security (CVV) code and ZIP code for every credit card transaction that goes to their agency on Texas.gov.
She stopped short of saying that was the weak spot used by the criminals and declined to specify whether the DPS had put the practice in place. DPS officials declined to comment further, citing the investigation.
DPS declined to discuss specific details of the investigation in the hearing, including whether arrests had been made in connection with the Texas thefts, but in a letter to lawmakers, McCraw said “several subjects have been identified in this criminal enterprise.”
The criminal operation had not been made public before Monday’s hearing.
DPS officials also did not specify or speculate whether the thieves could have used the password login scheme to obtain other things, like birth certificates.