An investigation into the incident is currently ongoing. According to local media, McCraw described the actors responsible as a “Chinese organized crime group based in New York working in a number of different states.” The responsible actors targeted “look-alikes” of certain Chinese nationals living in the U.S. illegally, McCraw said. He did not name the group behind the incident. “We’re not happy at all,” McCraw said. “Controls should have been in place and this should have never happened.” The DPS is working with federal agencies as some other states have fallen victim to the scam.
Data from the Dark Web Used to Order Licenses
The criminals reportedly obtained the victims’ personal information and credit card data from the dark web. They used this information to log in and request new driver’s licenses from the Texas Department of Information Resources web portal under the guise of renewing their licenses. To log in to the licensing portal, users must provide the audit number on their driver’s license or answer security questions such as their mother’s maiden name or previous addresses. The scam did not involve hacking any state systems. Instead, it exploited the procedure for obtaining a driver’s license. The actors created at least 4,000 fake accounts and received 2,400 licenses. Jeoff Williams, DPS Deputy Director of Law Enforcement Services, told Texan lawmakers that paying for a replacement license only requires a credit card number and no need for a billing zip code or three-digit CVV number. Williams said the DPS has since requested that the Department of Information Resources and the agency’s vendor address these security gaps.
Some Culprits Have Been Arrested
The DPS first learned of the scam “at the end of last year” but decided against notifying victims to keep the investigation under wraps and apprehend the criminals responsible for it. McCraw said some of the people behind the incident had been arrested. However, not all lawmakers agree with the DPS’s decision. Rep. Mary González, Democrat from El Paso, said this meant that thousands of Texans were probably impersonated for months. Such a decision could heavily impact people’s trust in government agencies and officials. Cybercriminals can use driver’s licenses to commit crimes like identity theft. Other information leaked in this incident, such as credit card data and other personal information, leaves victims open to social engineering attacks.