Texas authorities were duped into sending at least 3,000 driver’s licenses to a Chinese organized crime group that sold the licenses to people who are inside the United States illegally, a top state official said. The scheme targeted Asian Texans, according to Steve McCraw, Director of the Texas Department of Public Safety.
The fraudsters worked through the state’s government portal, Texas.gov. The agency discovered the scheme in December, and will begin notifying victims in letters to be sent out this week, the DPS chief said. More victims are still being identified, he said.
READ MORE about schemes involving migrants
McCraw made his remarks on Monday while appearing before a Texas House committee.
“We’re not happy at all, I can tell you that, one bit,” McCraw said in testimony to a House Appropriations subcommittee. “Controls should have been in place, and they never should have happened.”
The crime organization, which McCraw did not name, was able to get its hands on the Texas driver’s licenses by first pulling personal data on individuals with Asian surnames from the “dark web” and other underground data-trading portals.
That info, including previous addresses and family names, allowed thieves to correctly answer password security questions on the Texas.gov site and use stolen credit cards to order duplicate copies of active licenses — such as those ordered by people who misplace their licenses or report them stolen. A replacement license costs $11.
McCraw said the victims appeared to have been targeted because their names and photos would most closely resemble the people the syndicate would be selling the licenses to.
The state-run Texas.gov site is the central portal for Texans wanting to renew licenses, obtain driving records and registration, and obtain birth and death certificates, among other things.
The investigation into the stolen driver’s licenses spans at least four states and also involves fraudulent licenses duplicated from victims in other states as well as Texas. The FBI and the Department of Homeland Security are also investigating, according to the DPS letter to lawmakers.
House Appropriations Vice Chair Mary González, an El Paso Democrat, blasted DPS agency chiefs for letting so much time lapse while Texans were unaware that their identities were being used fraudulently.
“Somebody could be going around as Mary González right now for two months, and nobody’s been notified, I [wouldn’t have been] notified,” González said.
Officials at DPS are not calling the incident a “data breach” because they say no hacking was involved and vast amounts of data were not being stolen. Instead, the crime group used data obtained from underground sources to bypass a simple password security system — laying bare a security vulnerability that “should never have happened,” McCraw said.
The Texas.gov site is operated by the Texas Department of Information Resources.
Officials declined to provide details about the security loophole that left the site open to fraud but told lawmakers that it had been closed.
DPS declined to discuss specific details of the investigation in the hearing, including whether arrests had been made in connection with the Texas thefts; but, in a letter to lawmakers, McCraw said “several subjects have been identified in this criminal enterprise.”
The criminal operation had not been made public before Monday’s hearing.
– Reported by Karen Brooks Harper, Texas Tribune