Texas Department of Transportation System Hacked, Nearly 300,000 Accident Data Stolen

Hackers have hacked into the account of a Texas Department of Transportation (TxDOT) employee and uploaded nearly 300,000 confidential accident reports, including names, addresses, driver’s license numbers, insurance policies, and injury details.

• On May 12, an unusual activity was noticed in the CRIS (Crash Records Information System). As the investigation established, the attackers gained access to detailed accident reports through a compromised account, including personal information of drivers, witnesses, information about injuries, and descriptions of incidents. Although the state is not required by law to publicly report the incident, TxDOT decided to send letters to victims, warning of potential fraudulent activities related to accidents. At the same time, a hotline has been opened for citizens to contact.

The Texas incident comes on the heels of a similar incident in Illinois, where 933 people were affected by a phishing attack on a Department of Health and Human Services employee that resulted in the leak of Social Security numbers, Medicaid data, and state IDs.

CRIS is the official Texas traffic accident report database, which contains sensitive information about all those involved in an accident. Such databases pose a high risk of being compromised because they are used by insurance, court, and law enforcement agencies.

The Illinois phishing attack once again demonstrates how effective classic social engineering techniques remain — even among government employees.

These two incidents demonstrate the vulnerability of critical databases in the U.S. public sector. Both Texas and Illinois responded with delays, and in the case of TxDOT, had no legal obligation to inform the public at all. This raises questions about transparency standards, accountability, and the need for a unified national whistleblower policy.