The Liberty Daily 
(Reclaim The Net)—Texas spent the past two years building the legal machinery to make you prove who you are before you go online. This week it showed how well it guards the identity documents it already holds.
Hackers pulled the driver’s license and passport numbers of more than 3 million people out of a state government system, in one of the largest breaches Texas has reported this year.
The stolen records came from the Texas Parks and Wildlife Department, the agency that sells hunting and fishing licenses. A breach notice posted on the department’s website says the state’s cybersecurity unit detected a security incident that gave attackers access to the outside vendor running its license system.
The department did not say what the incident was or when it happened and it has not named the company that handles its license data.
Driver’s license details and passport numbers were not the only things taken. The department says the haul also included email addresses, phone numbers, and home addresses of affected license holders.
People who buy a Texas fishing license hand their identity documents to the state and the state hands those documents to a contractor it won’t identify.
The agency also declined to say whether the hackers have contacted it, which usually means a ransom demand or a public dump is somewhere on the table.
Three million people now have to wonder whether their government ID is sitting in a criminal marketplace and they can’t even find out which company lost it. The incident sits on the Attorney General Ken Paxton’s public breach reporting page alongside the rest of the year’s losses.
This is the same Texas that has positioned itself as the national leader in forcing people to show identification online. State law now requires age verification to reach adult websites, a mandate the Supreme Court upheld last year, and a separate law pushes app stores to confirm how old their users are before letting them download anything.
A government that cannot keep 3 million existing records out of hackers’ hands is now insisting that more companies gather the same kind of data from everyone else.
Every age check that demands a scanned license or a face scan creates another database, another vendor, another copy of your identity waiting to leak. The Parks and Wildlife breach is what that policy produces, except here the data was sitting in state hands the whole time and still got out.
The same pattern showed up in October, when Discord disclosed that attackers had reached a third-party vendor and exposed roughly 70,000 users’ government ID photos, images the company had collected to verify ages.
Discord blamed the contractor and said its own systems stayed intact, which is cold comfort to anyone whose passport photo is now loose on the internet.
The lesson repeats with each of these incidents, which is that the weak point is rarely the company you handed your ID to but the chain of vendors behind it that you never agreed to trust and that nobody audits until after the breach.
Driver’s license and passport numbers don’t expire and you can’t reset them like a password. The 3 million Texans in this breach face a real risk of identity theft for years and they face it not because they did anything online but because they went fishing.
That is the cost the verification-first approach keeps pushing onto the people it claims to protect. The state asks for proof of who you are, then loses it, then asks for more.
