The Texas Department of Public Safety (DPS) has begun notifying Asian Texans whose driver’s licenses were sent to a Chinese organized crime group due to a security lapse.
Department of Public Safety Chief Steve McCraw told lawmakers on Monday that the agency identified at least 3,000 Texans affected by the breach, but the number could increase as the investigation continues.
“We’re not happy at all, I can tell you that, one bit,” McCraw told the House Appropriations subcommittee. “Controls should have been in place, and this should have never happened.”
The New York-based crime ring targeted Texans with Asian surnames in hopes of finding “look-alikes” to match Chinese nationals who are in the U.S. illegally, McCraw said. The crime group’s identity was not released.
The licenses are being used fraudulently all over the country by those who can pass as the person on the original license or ID card, according to officials.
The agency said it did not immediately notify victims of the breach.
McCraw said the agency opted to “conduct a thorough criminal investigation to find out, one, the facts and circumstances” before alerting those affected.
“The last two weeks, we’ve been able to not just identify but arrest those involved in this organized criminal activity. And that’s been vital to it,” he continued, adding that “letters are going out this week” to those whose identity could be compromised.
The investigation showed that the criminals used the “dark web” to obtain information on Asian Texans, including personal details and credit card information.
The criminals used stolen credit card information to purchase duplicate driver’s licenses that were shipped to “an address of their choosing,” McCraw said. It is not uncommon for individuals to order a replacement for a stolen or lost license through the state’s website.
Lawmakers Respond
The breach was not made public until Monday’s hearing.House Appropriations Vice Chair Mary Gonzalez (D) expressed her displeasure with the agency for allowing more than two months to pass before notifying victims of the breach.
“Somebody could be going around as Mary Gonzalez right now for two months, and nobody’s been notified?” Gonzalez asked McCraw.
“The number one thing we have as a government agency, as government folks, is trust,” she continued. And when we lose that trust by not thinking it through, it’s difficult to rebuild that trust with people.”
Security Features
Prior to this issue, the DIR system did not require purchasers to enter their billing ZIP code or the credit card’s CVV, a three-digit code on the back of the card. The state agency sets the security features on their applications hosted by Texs.gov.DPS Deputy Director of Law Enforcement Services Jeoff Williams ensured lawmakers that the agency asked DIR to add these types of protective measures to its system.
“We’ve eliminated some of those vulnerabilities by doing those things,” Williams said.
In a statement to The Epoch Times, DIR pointed out that “this case was fraudulent criminal activity based on factors unrelated to state systems, not a cybersecurity incident.”
“No state systems, including the state’s portal, were hacked or breached,” DIR spokesperson Brittany Booth Paylor wrote in a statement. “However, just as we would in a cyber incident, we adapt to harden systems and strengthen security.
“Immediately after discovering the incident, DIR and the Texas Department of Public Safety (DPS), along with our industry service providers, formed a team to assess and determine any vulnerabilities and prevent such fraudulent activity from happening in the future.
Victims
Those affected should expect to receive a letter notifying them of the “fraudulent activity that resulted in your driver license card being sent to an unauthorized party,” The Dallas Morning News reported.“A criminal investigation was initiated and it was determined that subjects obtained personal information about you from an outside source which was used to access Texas.gov online services,” the Feb. 27 letter signed by Driver License Chief Sheri Gipson reads. “At that time, the mailing address was changed and a replacement driver license was requested. This fraudulent activity occurred in the later part of 2022.”
Replacement licenses will be issued to those affected.