Thousands of Asian Texans targeted in driver’s license breach

Thousands of Asian Texans targeted in driver’s license breach
A “Chinese organized crime group based in New York” was able to obtain thousands of licenses from the state due to lax security protocols, officials confirmed Monday.
The exterior of the Texas Department of Public Safety Driver License Mega Center on Thursday, Oct. 28, 2021, in Garland. (Juan Figueroa/The Dallas Morning News)(Juan Figueroa / Staff Photographer)
By Lauren McGaughy and Allie Morris

10:59 AM on Feb 27, 2023 GMT-6 — Updated at 6:49 PM on Feb 27, 2023 GMT-6


Update: Updated at 6:45 p.m. with comments from a board member of DFW Chinese Alliance.

AUSTIN — The state shipped thousands of Texas driver’s licenses to an international organized crime group in a security lapse that is still under investigation, Department of Public Safety Chief Steve McCraw said Monday.

The Department of Public Safety has identified at least 3,000 Texans who have been affected and is investigating more potential cases, department officials told House budget writers during a hearing Monday. Texans of Asian descent were targeted by what McCraw described as “a Chinese organized crime group based in New York working in a number of different states.”

“We’re not happy at all,” he told the lawmakers. “Controls should have been in place and this should have never happened.”

The agency is working with federal agencies, McCraw said, and the investigation spans at least four states, as other states have also been similarly targeted. It’s not clear when the investigation will be completed.

No state systems were hacked, officials said. Instead, the criminal actors were able to fraudulently obtain the licenses in a scheme McCraw described this way: personal data about Texans of Asian descent was obtained on the dark web, including credit card and personal information, and then used to request replacement driver’s licenses from the state. The group specifically targeted Asians of various backgrounds with the hopes of finding “look-alikes” to match with Chinese nationals here in the country illegally, he said.

McCraw did not identify the alleged criminal organization by name.

Related:Texas DPS doesn’t provide your data anymore — except to 2,400 entities
While DPS issues licenses, they are ordered through a portal operated by a separate agency, the Texas Department of Information Resources. At least four thousand fraudulent accounts were created and 2,400 licenses were shipped to “third-party addresses,” according to a letter from DPS notifying legislators of the problem.

DPS first learned about the problem at the end of last year, but has not yet notified affected Texans because they have been working on the criminal investigation and apprehending those responsible, McCraw said, some of whom he said have been arrested.

The decision drew criticism from Rep. Mary González, who pointed out that thousands of Texans could have been impersonated for months without their knowledge.

“The number one thing we have as a government agency, as government folks, is trust. And when we lose that trust by not thinking through, it’s difficult to rebuild that trust with the people,” the El Paso Democrat said, adding that the agency needed to be shepherding affected Texans through ensuring their identities are protected.

Rep. Mano DeAyala, R- Houston, raised concerns about how the driver’s licenses from Texas could be used to get IDs from other states.

“We don’t want to be that weak link,” he said.

Hailong Jin, board member of the DFW Chinese Alliance, said he, along with many in the Chinese American community in North Texas learned about stolen data through news reports. He said the state should have notified potential victims earlier and stressed the importance of language-appropriate material for victims who are not English-proficient.

”They should have immediately notified any victims, because even within a few days they could have caused further damage,” Jin said.

Jeoff Williams, DPS Deputy Director of Law Enforcement Services, told lawmakers the bad actors did not breach the state’s system, but rather exploited existing security vulnerabilities in the online portal.

Texans looking to log into the license system had to provide an audit number on their driver’s license or answer a series of questions about themselves, such as previous addresses or their mother’s maiden name. The bad actors were able to find those personal details on the dark web to gain access to Texans’ accounts, Williams said.

In order to pay for the replacement, the system only required a credit card number, but not the billing zip code or the three-digit code on the back on the card, known as a CVV, he added. Williams said the department asked the Department of Information Resources and the agency’s vendor to address those issues.

“We’ve eliminated some of those vulnerabilities by doing those things,” Williams said.

In a statement, DIR reiterated no state systems were hacked and this was a “case of fraudulent criminal activity based on factors unrelated to state systems, not a cybersecurity incident.”

DIR oversees the state’s online infrastructure, but state agencies set the security features on their individual applications hosted by Texas.gov, spokesperson Brittney Booth Paylor said in a written statement.

After this incident, Paylor said DIR now requires credit card features like CVV or zip code authentication for all transactions.

Texans who believe they were targeted in the scam and fell victim to identify theft or fraud are being asked to contact local law enforcement or file a report with the state’s iWatch system, according to the Department of Public Safety.