The DPS has identified at least 3,000 Texans who’ve been affected and is investigating more potential cases, officials told House budget writers during a hearing Monday. Texans of Asian descent were targeted by what McCraw described as “a Chinese organized crime group based in New York working in a number of different states.”
No state systems were hacked, officials said. Instead, the criminal actors fraudulently obtained the licenses in a scheme McCraw described this way: Personal data about Texans of Asian descent was obtained on the dark web, including credit card and personal information, and used to request replacement driver’s licenses from the state.
While DPS issues licenses, they are ordered through a portal operated by the Texas Department of Information Resources (DIR). At least 4,000 fraudulent accounts were created and 2,400 licenses were shipped to “third-party addresses,” according to a letter.
Jeoff Williams, DPS deputy director of law enforcement services, told lawmakers the bad actors didn’t breach the state’s system, but rather exploited existing security vulnerabilities in the online portal.
Texans looking to log into the license system had to provide an audit number on their driver’s license or answer a series of questions about themselves, such as previous addresses or their mother’s maiden name. The bad actors were able to find those personal details on the dark web, he said.
In order to pay for the replacement, the system required only a credit card number, but not the billing ZIP code or the three-digit code on the back on the card, known as a CVV, he added. Williams said the department asked the DIR and the agency’s vendor to address those issues.
In a statement, DIR reiterated no state systems were hacked and this was a “case of fraudulent criminal activity based on factors unrelated to state systems, not a cybersecurity incident.”
DIR oversees the state’s online infrastructure, but state agencies set the security features on their individual applications hosted by Texas.gov, DIR said.
After this incident, DIR now requires credit card features like CVV or ZIP code authentication for all transactions.
DPS learned about the problem at the end of last year but has not yet notified affected Texans because they have been working on the criminal investigation and apprehending those responsible, McCraw said, some of whom he said have been arrested.
The agency is working with federal agencies, and the investigation spans at least four states, as other states have also been similarly targeted.
Notification letters are being sent to affected license holders.
©2023 The Dallas Morning News. Distributed by Tribune Content Agency, LLC.