The DPS sent at least 3,000 driver’s licenses to an organized crime ring targeting Asian Texans.

Subscribe to The Brief, The Texas Tribune’s daily newsletter that keeps readers up to date with the most important Texas news.

The Texas Department of Public Safety was duped into sending at least 3,000 Texan driver’s licenses to a Chinese organized crime ring that was targeting Asian Texans, DPS Director Steve McCraw told a Texas House of Representatives committee on Monday.

The organization then illegally sold licenses obtained using the personal information of Texas drivers to people in the country, McCraw said.

The scammers worked through the Texas.gov state portal. The agency, which discovered the scheme in December, will start notifying victims with letters that will be sent out this week, the traffic police chief said. According to him, the identities of other victims are currently being established.

“We’re not happy at all, I can tell you that,” McCraw said in testimony to the House Appropriations Subcommittee. “They should have – controls should have been in place and this should never have happened.”

The criminal organization, which McCraw did not name, was able to obtain a Texas driver’s license by first extracting the personal data of individuals with Asian surnames from the “dark web” and other underground data trading portals.

This information, including previous addresses and last names, allowed thieves to correctly answer Texas.gov password security questions and use stolen credit cards to order duplicate active licenses, such as those ordered by people who lost their licenses or reported them. stolen. Replacing a license costs $11.

The state site Texas.gov is the central portal for Texans looking to renew their driver’s license, obtain driver’s licenses and registrations, and obtain birth and death certificates, among other things.

The stolen driver’s license investigation spans at least four states and also includes fake licenses duplicated from victims in other states as well as Texas. The FBI and Department of Homeland Security are also investigating, according to a DPS letter to lawmakers.

House Appropriations Vice Chair Mary Gonzalez, a Democrat from El Paso, criticized DPS agency executives for allowing so much time to pass while Texans were unaware their identities were being used fraudulently.

“Someone can go by the name of Mary Gonzalez right now for two months and no one has been notified, I [wouldn’t have been] notified,” Gonzalez said.

DPS officials don’t call the incident a “data breach” because they say there was no hack and huge amounts of data weren’t stolen. Instead, the criminal group used data obtained from clandestine sources to bypass a simple password protection system, discovering a security vulnerability that “should never have happened,” McCraw said.

Texas.gov is not run by the DPS, but by the Texas Information Resources Department.

DPS officials declined to give details about the security loophole that left the site open to fraud, but told lawmakers it was closed.

DIR spokesperson Britney Booth Paylor dismissed the notion that the incident was a breach of cybersecurity, calling it “a case of fraudulent criminal activity based on factors unrelated to government systems.”

In an email to The Texas Tribune, Paylor explained that before the fraudulent activity took place, government agencies had the ability to request a security code (CVV) and zip code for every credit card transaction that goes into their agency on Texas.gov.

She refrained from saying that this was a weak spot exploited by criminals and declined to elaborate on whether the DPS implemented the practice. The traffic police declined to comment further, citing the investigation.

The DPS declined to discuss specific details of the investigation at the hearing, including whether arrests were made in connection with the thefts in Texas, but in a letter to lawmakers, McCraw said “multiple actors have been identified in this criminal enterprise.”

The criminal operation was not made public until Monday’s hearing.

DPS officials also did not elaborate or suggest whether the thieves could have used the password login scheme to obtain other things, such as birth certificates.

The issue was first exposed in December when third-party payment provider Texas.gov “warned DPS of a rise in customers challenging credit card charges for online transactions,” according to a February letter sent to lawmakers by DPS. Authorities said the credit cards used to purchase counterfeit copies were also stolen.

McCraw said that before investigators dropped the operation, license thieves were able to use a site billed as “the official website of the state of Texas” to obtain driver’s licenses that are “Real ID compatible” rather than cheap copies, McCraw said.

According to McCraw, these stolen licenses can pass verification methods and be used fraudulently across the country because they are real driver’s licenses that are used by people who can impersonate a photo on the original card.

Gonzalez also asked if the persecution of Asian Americans is a hate crime.

McCraw, without making any commitment, said they were apparently targeted because their names and photos most closely resemble the people the syndicate will sell licenses to, according to what the agency’s investigation has so far found.

Letters due to be sent to affected Texans this week explain that if they suspect their ID is being used for fraudulent purposes, their cases will be given priority status. In addition, the department will ship replacement licenses free of charge to affected licensees.