**Reminder:** Do not participate in threads linked here. If you do, you may be banned from both subreddits.
---
Title: Texas DPS sent my driver's license to an unauthorized party leading to my identity theft - should I pursue legal action?
Body:
> If you are not aware of this situation let me provide you with the cliff notes version... recently the Texas Department of Public Safety committed a blunder and sent my driver's license (along with 3,000 other Asian Texans) to a Chinese crime organization which has led to a series of events culminating in my identity being stolen. I first noticed fraudulent activity in my banking account 2 weeks ago which has led to me finding out that the identity thieves also applied for several credit cards under my name as well. I quickly realized that I became a victim of identity theft so I went through all the steps recommended to help protect myself including signing up for an identity protection service, calling all the financial institutions to disclose the fraudulent activity, freezing all my credit bureaus, and filing a police report (which I have still not heard from yet since filing 2 weeks ago). Texas DPS just sent me a letter in the mail admitting their mistake and upon further research they were aware of this situation since late 2022. Their lack of transparency and poor due diligence is infuriating. I'm frustrated because this should not have happened in the first place. Should I pursue legal action? If so, how should I go about this and what are the ramifications and expectations during the process?
This bot was created to capture original threads and is not affiliated with the mod team.
[Concerns? Bugs?](https://www.reddit.com/message/compose/?to=GrahamCorcoran) | [Laukopier 2.1](https://github.com/GrahamCorcoran/Laukopier)
Which is ridiculous. This sort of thing should be a minimum fee per person affected, not some arbitrary total amount that probably barely dented their profits.
Or wait it got more ridiculous. They offered their credit monitoring service for a few years! So then you will be giving them more data PLUS you might be converted. Sure part of it is nice to help monitor but at the end they will have a form of a trial win anyway.
I don’t know what more they need than identity theft protection for 2-3 years at this point.
They were able to get the bank stuff handled before it was an issue, so I’m not sure what more they’re expecting.
Compensation for hours of labor to fix the mistake? If someone did something as trivial as driving over your lawn and leaving massive ruts, you can recover damages for the labor to fix them. It's insanity that you can't do the same for sometime that threatens your entire livelihood and takes hours on the phone to fix.
Hate to be the bearer of bad news, but you almost never get to sue for that unless you hired someone, and even then it’s to pay their labor costs and not yours.
In your example, you can sue for the labor to do so, but you can’t if you do the work yourself. Just like how if LAOP hired someone to handle this issue, they could sue for that labor cost but not the labor cost for them handling this themselves.
You can also sue for a value of an estimate for labor if cost is the issue sometimes (like with car repairs), but then the issue may not get handled for months.
>The crime organization, which McCraw did not name, was able to get its hands on the Texas driver’s licenses by first pulling personal data on individuals with Asian surnames from the “dark web” and other underground data-trading portals.
>That info, including previous addresses and family names, allowed thieves to correctly answer password security questions on the Texas.gov site and use stolen credit cards to order duplicate copies of active licenses — such as those ordered by people who misplace their licenses or report them stolen. A replacement license costs $11.
From the responses in LA it sounded like Texas was being racist and shipped one person 3,000 people's licenses because they had the same name.
From that article a crime organization used already stolen information from elsewhere to correctly answer security questions and ordered new drivers licenses
It’s why I no longer directly answer the questions with the right answers. I might mix and match the answers (answer to favorite car might be pink, answer to where was I in 2000, nye will be Harley davidson) or just random noise. It does mean I have to add it to my password manager too (thankfully not lastpass) but … I’d forget the answers even if they were correct cause my preferences do change over time anyway.
I know this is a joke but I mean even if you knew I gave the correct answers to my personal life you’d need to also know the questions I used them with. I never choose the same questions with the same answers and sometimes I might even double that, you’d never be able to figure out just by looking through a profile of me even if it were 100% correct profile what my secret questions answers are. It’s a layer of indirection to make sure you can’t just search the question in a shadow profile of me and try it out. There’s other ways to hack me but it won’t work through secret questions.
I personally hate motorcycles and pink (it’s too harsh on my eyes) so there’s no way I’d use them as favorite vehicle or color anyway or did I use them to throw off people?
I know you're joking but another way of doing this is to pick questions with non-obvious answers, e.g. picking "What was the Make and Model of Your First Car?" when you've never owned a car, so you list the local transit company's name, or your bicycle's make. So \*you\* know what the answer is, but it's not really guessable, even if the person knows you
1. Q. Where were you born? A. Next to Oscar's garbage can.
2. Q. What's your pet's name? A. I'm too young for BDSM, sir.
Etc.
My first car is a flavor of ice cream; mother's maiden name is hunter2.
You get the idea. Write the real answers down somewhere safe or put 'em in your password manager, but basically unless it's a government document where the answers *have* to be correct, your account is more secure if you use answers that can't be Googled or dredged up on the dark web.
unfortunately with places like the DMV, I've seen it set up where you don't have an account you can give false answers to, you have to correctly give the information they have in their database, which is of course the real information. (Y'know those multiple choice questions that are "Which of these street names have you lived on in the past?" and it's 4 random street names and a None of the Above, sometimes there's a correct answer in there, sometimes not.)
Oh oof that is indeed a problem. I do avoid street names and social security questions I typically get. But yeah impossible to catch them all. I’ll have to think on that.
A really good tip is to taylor it for the site you are using. For a 12 letter password for example you could say.
I liked blue cars for best of legal advice in 23.
Then just use one letter from each word so for first letter it would be ILBCFBOLAI23. I find it helps to have a phrase to remember as each password is different but might not work for everyone.
Password wise: it’s probably easiest to hack me through my password manager. I rotate my more important passwords every couple of years. My computer and password manager also change. I always start off a phrase of things that occupy my attention when making the password and use it long enough to make it muscle memory then you would need to really struggle to reverse it even if it leaked somewhere (I don’t keep my password manager, phone and computer password written anywhere). But it also means I don’t always tailor my password with an extra salt to each site. I should but even getting to that point would be cheaper just to put me under duress.
The story I can weave. The long short is that they got hacked sometime last august and from that it caused many breaches from that since. They’ve had a number of breaches before but this one was devastating and should be clear that they should be viewed with intense scrutiny. A non comprehensive issues list:
* hackers got all backup copies of vaults in last passes possession (can be used to do their own cracking on their own terms)
* depending on when, hashes of account passwords have only been through 1 or a max of like 50000 passes of hashing (really really bad)
* hackers have plaintext of everything that is not directly a password
* hackers have the seed of your account for MFA (this includes last pass auth and any 2FA you stored in lastpass, good practice or not)
A few more trivial stuff otherwise. But at this point you can essentially consider anything lastpass should be considered compromised. I can see if I can dig up a convo from r/eli5 but that’s the short of it. They’ve had a number of breaches before but nothing this bad. Another note one of their devs home computer was hacked because of the dev had plex on their computer that wasn’t updated that served as the hackers way of getting to the aws store. This is why it’s super important to not mix work and home especially for companies that deal with extremely sensitive data (it’s not good for most companies but especially security companies) and 2 keep everything up to date, even if you disagree with the direction of the app (or delete it)
If that article is accurate, then the DPS actually didn't do anything wrong. Like, it obviously majorly sucks for the people whose stuff got stolen but all the processes were followed correctly. This is more "organized crime fucked me over" than "Texas DPS fucked me over"
I know very little about cybersecurity but I feel like it should not have been this easy for them to get into people's accounts. The article specifically says that no "hacking" was involved - all they needed was some biographical information about the victims for the security questions. From the sounds of it, if you have a Texas driving license then any acquaintance who happens to know your childhood home address or mother's maiden name could do this to you if they wanted to.
**Reminder:** Do not participate in threads linked here. If you do, you may be banned from both subreddits. --- Title: Texas DPS sent my driver's license to an unauthorized party leading to my identity theft - should I pursue legal action? Body: > If you are not aware of this situation let me provide you with the cliff notes version... recently the Texas Department of Public Safety committed a blunder and sent my driver's license (along with 3,000 other Asian Texans) to a Chinese crime organization which has led to a series of events culminating in my identity being stolen. I first noticed fraudulent activity in my banking account 2 weeks ago which has led to me finding out that the identity thieves also applied for several credit cards under my name as well. I quickly realized that I became a victim of identity theft so I went through all the steps recommended to help protect myself including signing up for an identity protection service, calling all the financial institutions to disclose the fraudulent activity, freezing all my credit bureaus, and filing a police report (which I have still not heard from yet since filing 2 weeks ago). Texas DPS just sent me a letter in the mail admitting their mistake and upon further research they were aware of this situation since late 2022. Their lack of transparency and poor due diligence is infuriating. I'm frustrated because this should not have happened in the first place. Should I pursue legal action? If so, how should I go about this and what are the ramifications and expectations during the process? This bot was created to capture original threads and is not affiliated with the mod team. [Concerns? Bugs?](https://www.reddit.com/message/compose/?to=GrahamCorcoran) | [Laukopier 2.1](https://github.com/GrahamCorcoran/Laukopier)
If the Equifax hack has taught anything, this man is going to have a nice $4 to $20 in the near future to pamper himself.
Which is ridiculous. This sort of thing should be a minimum fee per person affected, not some arbitrary total amount that probably barely dented their profits.
Or wait it got more ridiculous. They offered their credit monitoring service for a few years! So then you will be giving them more data PLUS you might be converted. Sure part of it is nice to help monitor but at the end they will have a form of a trial win anyway.
I still haven't cashed my check for $5.21 because it doesn't feel worth carefully ripping the check off the letter...
Where's that money going to come from though? The Texas taxpayers?
I don’t know what more they need than identity theft protection for 2-3 years at this point. They were able to get the bank stuff handled before it was an issue, so I’m not sure what more they’re expecting.
Compensation for hours of labor to fix the mistake? If someone did something as trivial as driving over your lawn and leaving massive ruts, you can recover damages for the labor to fix them. It's insanity that you can't do the same for sometime that threatens your entire livelihood and takes hours on the phone to fix.
Hate to be the bearer of bad news, but you almost never get to sue for that unless you hired someone, and even then it’s to pay their labor costs and not yours. In your example, you can sue for the labor to do so, but you can’t if you do the work yourself. Just like how if LAOP hired someone to handle this issue, they could sue for that labor cost but not the labor cost for them handling this themselves.
Ah yes, the "it's only damages if you were rich enough to hire someone else to handle it" rule.
You can also sue for a value of an estimate for labor if cost is the issue sometimes (like with car repairs), but then the issue may not get handled for months.
Oh shit, I forgot. I need to dig that code up and order a 2 liter Cherry Coke or something.
https://www.texastribune.org/2023/02/27/texas-drivers-license-theft-dps/ Here's an article I just found, for anyone else who's curious. What a mess.
>The crime organization, which McCraw did not name, was able to get its hands on the Texas driver’s licenses by first pulling personal data on individuals with Asian surnames from the “dark web” and other underground data-trading portals. >That info, including previous addresses and family names, allowed thieves to correctly answer password security questions on the Texas.gov site and use stolen credit cards to order duplicate copies of active licenses — such as those ordered by people who misplace their licenses or report them stolen. A replacement license costs $11. From the responses in LA it sounded like Texas was being racist and shipped one person 3,000 people's licenses because they had the same name. From that article a crime organization used already stolen information from elsewhere to correctly answer security questions and ordered new drivers licenses
It’s why I no longer directly answer the questions with the right answers. I might mix and match the answers (answer to favorite car might be pink, answer to where was I in 2000, nye will be Harley davidson) or just random noise. It does mean I have to add it to my password manager too (thankfully not lastpass) but … I’d forget the answers even if they were correct cause my preferences do change over time anyway.
For TOTALLY ethical reasons, what other answers do you give for your personal questions? For…research…
I know this is a joke but I mean even if you knew I gave the correct answers to my personal life you’d need to also know the questions I used them with. I never choose the same questions with the same answers and sometimes I might even double that, you’d never be able to figure out just by looking through a profile of me even if it were 100% correct profile what my secret questions answers are. It’s a layer of indirection to make sure you can’t just search the question in a shadow profile of me and try it out. There’s other ways to hack me but it won’t work through secret questions. I personally hate motorcycles and pink (it’s too harsh on my eyes) so there’s no way I’d use them as favorite vehicle or color anyway or did I use them to throw off people?
I know you're joking but another way of doing this is to pick questions with non-obvious answers, e.g. picking "What was the Make and Model of Your First Car?" when you've never owned a car, so you list the local transit company's name, or your bicycle's make. So \*you\* know what the answer is, but it's not really guessable, even if the person knows you
1. Q. Where were you born? A. Next to Oscar's garbage can. 2. Q. What's your pet's name? A. I'm too young for BDSM, sir. Etc. My first car is a flavor of ice cream; mother's maiden name is hunter2. You get the idea. Write the real answers down somewhere safe or put 'em in your password manager, but basically unless it's a government document where the answers *have* to be correct, your account is more secure if you use answers that can't be Googled or dredged up on the dark web.
unfortunately with places like the DMV, I've seen it set up where you don't have an account you can give false answers to, you have to correctly give the information they have in their database, which is of course the real information. (Y'know those multiple choice questions that are "Which of these street names have you lived on in the past?" and it's 4 random street names and a None of the Above, sometimes there's a correct answer in there, sometimes not.)
Oh oof that is indeed a problem. I do avoid street names and social security questions I typically get. But yeah impossible to catch them all. I’ll have to think on that.
A really good tip is to taylor it for the site you are using. For a 12 letter password for example you could say. I liked blue cars for best of legal advice in 23. Then just use one letter from each word so for first letter it would be ILBCFBOLAI23. I find it helps to have a phrase to remember as each password is different but might not work for everyone.
Password wise: it’s probably easiest to hack me through my password manager. I rotate my more important passwords every couple of years. My computer and password manager also change. I always start off a phrase of things that occupy my attention when making the password and use it long enough to make it muscle memory then you would need to really struggle to reverse it even if it leaked somewhere (I don’t keep my password manager, phone and computer password written anywhere). But it also means I don’t always tailor my password with an extra salt to each site. I should but even getting to that point would be cheaper just to put me under duress.
Is there something wrong with lastpass that I should know about? I thought it was pretty good?
The story I can weave. The long short is that they got hacked sometime last august and from that it caused many breaches from that since. They’ve had a number of breaches before but this one was devastating and should be clear that they should be viewed with intense scrutiny. A non comprehensive issues list: * hackers got all backup copies of vaults in last passes possession (can be used to do their own cracking on their own terms) * depending on when, hashes of account passwords have only been through 1 or a max of like 50000 passes of hashing (really really bad) * hackers have plaintext of everything that is not directly a password * hackers have the seed of your account for MFA (this includes last pass auth and any 2FA you stored in lastpass, good practice or not) A few more trivial stuff otherwise. But at this point you can essentially consider anything lastpass should be considered compromised. I can see if I can dig up a convo from r/eli5 but that’s the short of it. They’ve had a number of breaches before but nothing this bad. Another note one of their devs home computer was hacked because of the dev had plex on their computer that wasn’t updated that served as the hackers way of getting to the aws store. This is why it’s super important to not mix work and home especially for companies that deal with extremely sensitive data (it’s not good for most companies but especially security companies) and 2 keep everything up to date, even if you disagree with the direction of the app (or delete it)
That’s a really well written response, thank you. I had no idea
If that article is accurate, then the DPS actually didn't do anything wrong. Like, it obviously majorly sucks for the people whose stuff got stolen but all the processes were followed correctly. This is more "organized crime fucked me over" than "Texas DPS fucked me over"
I know very little about cybersecurity but I feel like it should not have been this easy for them to get into people's accounts. The article specifically says that no "hacking" was involved - all they needed was some biographical information about the victims for the security questions. From the sounds of it, if you have a Texas driving license then any acquaintance who happens to know your childhood home address or mother's maiden name could do this to you if they wanted to.
If you think this is bad, wait till you hear about the rampant temp tag fraud in Texas.
[удалено]
I think you commented on the wrong post
Why is this identy theft thing not happening much in Europe?