Texas Public Safety agency sent at least 3,000 driver’s licenses to organized crime group targeting Asian Texans

Fly View Productions/Getty Images

 

Connecting state and local government leaders

A Chinese crime operation bypassed the password clues of Texas.gov by using stolen identity information to fraudulently obtain replacement driver’s licenses.

The Texas Department of Public Safety was duped into shipping at least 3,000 Texas driver’s licenses to a Chinese organized crime group that targeted Asian Texans, DPS Director Steve McCraw told a Texas House committee on Monday.

The organization was then selling the licenses, obtained using the personal information of Texas drivers, to people in the country illegally, McCraw said.

The fraudsters worked through the state’s government portal, Texas.gov. The agency, which discovered the scheme in December, will begin notifying victims in letters to be sent out this week, the DPS chief said. More victims are still being identified, he said.

“We’re not happy at all, I can tell you that, one bit,” McCraw said in testimony to a House Appropriations subcommittee. “They should have had — controls should have been in place, and they never should have happened.”

The crime organization, which McCraw did not name, was able to get its hands on the Texas driver’s licenses by first pulling personal data on individuals with Asian surnames from the “dark web” and other underground data-trading portals.

That info, including previous addresses and family names, allowed thieves to correctly answer password security questions on the Texas.gov site and use stolen credit cards to order duplicate copies of active licenses — such as those ordered by people who misplace their licenses or report them stolen. A replacement license costs $11.

The state-run Texas.gov site is the central portal for Texans wanting to renew licenses, obtain driving records and registration, and obtain birth and death certificates, among other things.

The investigation into the stolen driver’s licenses spans at least four states and also involves fraudulent licenses duplicated from victims in other states as well as Texas. The FBI and the Department of Homeland Security are also investigating, according to the DPS letter to lawmakers.

House Appropriations Vice Chair Mary González, an El Paso Democrat, blasted DPS agency chiefs for letting so much time lapse while Texans were unaware that their identities were being used fraudulently.

“Somebody could be going around as Mary González right now for two months, and nobody’s been notified, I [wouldn’t have been] notified,” González said.

DPS officials are not calling the incident a “data breach” because they say no hacking was involved and vast amounts of data were not being stolen. Instead, the crime group used data obtained from underground sources to bypass a simple password security system — laying bare a security vulnerability that “should never have happened,” McCraw said.

Texas.gov is operated not by DPS, but by the Texas Department of Information Resources.

DPS officials declined to provide details about the security loophole that left the site open to fraud but told lawmakers that it had been closed.

DIR spokesperson Brittney Booth Paylor dismissed the notion that the incident was a cybersecurity breach, calling it “a case of fraudulent criminal activity based on factors unrelated to state systems.”

In an email to The Texas Tribune, Paylor explained that before the fraudulent activity took place, state agencies had the option to require the security (CVV) code and ZIP code for every credit card transaction that goes to their agency on Texas.gov.

She stopped short of saying that was the weak spot used by the criminals and declined to specify whether the DPS had put the practice in place. DPS officials declined to comment further, citing the investigation.

DPS declined to discuss specific details of the investigation in the hearing, including whether arrests had been made in connection with the Texas thefts, but in a letter to lawmakers, McCraw said “several subjects have been identified in this criminal enterprise.”

The criminal operation had not been made public before Monday’s hearing.

DPS officials also did not specify or speculate whether the thieves could have used the password login scheme to obtain other things, like birth certificates.

The problem was first detected in December when a third-party Texas.gov payment vendor “alerted DPS to an increase in customers challenging credit card charges for online transactions,” according to a February letter sent to lawmakers from the DPS. The credit cards used to buy the fraudulent copies were also stolen, authorities said.

Before investigators shut down the operation, McCraw said, the license thieves were able to use the site, billed as “the official website of the State of Texas,” to obtain driver’s licenses that are “Real ID compliant” — not cheap copies, McCraw said.

These stolen licenses can pass verification methods and be used fraudulently all over the country because they are real driver’s licenses being used by people who can pass for the photo on the original card, McCraw said.

González also asked whether the fact that Asian Americans were being targeted would constitute a hate crime.

McCraw, without committing either way, said they appeared to be targeted because their names and photos would most closely resemble the people the syndicate would be selling the licenses to, according to what the agency’s investigation has uncovered so far.

Letters set to go out to affected Texans this week explain that if they suspect their ID is being used fraudulently, their cases will be given priority status. Also, the department will send affected licensees replacement licenses free of charge.

This article originally appeared in The Texas Tribune at https://www.texastribune.org/2023/02/27/texas-drivers-license-theft-dps/.

The Texas Tribune is a member-supported, nonpartisan newsroom informing and engaging Texans on state politics and policy. Learn more at texastribune.org.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.