The Texas Department of Transportation (TxDOT) has disclosed a data breach after a threat actor accessed and downloaded 300,000 crash records from its database.
The breach took place on May 12, 2025, and stemmed from a login using compromised credentials—yet another example of how a single weak link in identity security can put huge amounts of sensitive data at risk.
Here’s what we know about the breach so far, and the lessons learned.
How did the TxDOT breach happen?
In a statement released this week, TxDOT said it detected “unusual activity” in its Crash Records Information System (CRIS) on May 12, 2025.
A closer investigation revealed the source: a compromised account that was used to access and extract a large volume of sensitive data.
The exposed records contain a troubling amount of personal information. According to TxDOT, the downloaded crash reports include:
- Full names
- Home addresses
- Driver’s license numbers
- License plate numbers
- Car insurance policy details
- Descriptions of injuries sustained and crash circumstances
While the agency has not yet disclosed how many individuals are affected, the nature of the information raises serious concerns.
With detailed information like license plates, injury reports, and insurance policies, attackers could easily use the stolen data to impersonate insurance reps, launch hyper-targeted phishing campaigns, or even commit identity fraud disguised as post-accident follow-ups.
TxDOT’s response
The Texas Department of Transportation (TxDOT) has begun notifying individuals affected by the data breach.
In the breach notification letters, TxDOT urges recipients to stay vigilant against potential scams and targeted attacks that may leverage the stolen data.
Notably, TxDOT has not offered identity theft protection or credit monitoring—services now considered part and parcel of breach responses. Instead, affected individuals are being left to monitor their own credit and brace for any potential fallout.
Recipients are being advised to closely monitor their credit reports for suspicious activity and consider placing a credit freeze to prevent fraudulent accounts from being opened in their names.
TxDOT says it has disabled the compromised account used in the attack and is now implementing additional security measures to prevent a repeat. But for the individuals whose crash data was exposed, the burden of protection now largely falls on them.
Lessons learned
The Texas Department of Transportation’s breach is just the latest in a long line of incidents linked to compromised credentials—an attack method that continues to undermine organizations of all sizes.
In too many instances, one stolen password can be all it takes. Once inside, threat actors can move laterally through systems and steal sensitive data—all without tripping a single alarm.
But this kind of breach isn’t inevitable. There are practical, proven steps organizations can take to reduce the blast radius of a compromised account—and in many cases, stop an attack before it starts.
The key? Stop relying on outdated access models and move towards data-centricity.
Here’s what that looks like in practice:
- Implement multi-factor authentication (MFA): MFA isn’t just a checkbox—it’s one of the most effective defenses against credential-based attacks. When properly enforced across all systems, it adds a critical layer of protection even if a password is stolen.
- Audit and limit account access: Regularly review all user accounts and shut down those that are inactive or unnecessary. Apply the principle of least privilege—users should only have access to the data and systems they absolutely need. No more, no less.
- Adopt runtime data security tools: Legacy role-based access controls are no longer enough. Runtime data security platforms like Polymer allow organizations to apply context-aware access rules in real time, limiting exposure even if a legitimate account is compromised. This means tighter controls on who accesses what, when, and under what conditions.
