Texas DOT reports massive data breach exposing nearly 300,000 crash records

The Texas Department of Transportation (TxDOT) has confirmed a significant cybersecurity incident involving the unauthorized access and download of nearly 300,000 crash reports from its Crash Records Information System (CRIS). The breach, discovered on May 12, 2025, exposed a wide range of sensitive personal information belonging to individuals involved in traffic accidents across the state.

According to TxDOT, the breach stemmed from the compromise of a system account used to access CRIS, which houses comprehensive data on traffic crashes, including personal details of those involved. Following the detection of unusual activity originating from the compromised account, TxDOT initiated an internal investigation and subsequently disabled access to the account to prevent further unauthorized activity.

The exposed information includes individuals’ first and last names, mailing and physical addresses, driver’s license numbers, license plate numbers, vehicle details, car insurance policy numbers, and in some cases, information related to injuries sustained and narrative descriptions of the crashes.

While Texas law does not mandate public disclosure of such incidents, TxDOT has opted for a proactive approach by notifying affected individuals through mailed letters. In the notification, TxDOT advised recipients to be especially cautious of emails, text messages, or phone calls referencing their crash history. The department emphasized that individuals should not share personal data such as Social Security numbers or bank information in response to unsolicited communications.

To assist those impacted, TxDOT recommended several precautionary measures including monitoring credit reports, placing fraud alerts on credit files, considering credit freezes, and filing taxes as early as possible to avoid potential identity theft.

Although TxDOT has not disclosed details regarding the actors behind the breach or the method of compromise beyond the account infiltration, it has confirmed that an investigation is ongoing. A dedicated call line has also been established to address questions and concerns from affected individuals.

Notably, the same day the TxDOT breach came to light, a similar cybersecurity incident was reported by the Illinois Department of Healthcare and Family Services (HFS). That breach affected 933 individuals and was traced to a phishing attack exploiting another compromised government email account. The stolen data in the Illinois case included Social Security numbers, driver’s licenses, state IDs, and financial information tied to child support and Medicaid.