We’ve finally been learning over the last couple weeks about the data breach affecting more than 27 million Texas drivers — although the incident is believed to have taken place months ago.

After discovering the breach, the negligent party — insurance software vendor Vertafore — issued a security advisory stating that at some point between March 11 and Aug. 1 of this year, there was potential unauthorized access to three data files with information for licenses issued before February 2019 that included license numbers, names, dates of birth, addresses and vehicle registration histories for about 27.7 million drivers. The files did not contain any Social Security numbers or financial account information, however.

The latter part of that advisory is good news, we suppose. But that hardly means the stolen information can’t be used for fraud.

As Dallas Morning News Watchdog columnist Dave Lieber recently pointed out, criminals can send citizens a letter or email pretending to be from their lender, identifying the correct vehicle they own and asking them to send their payment to a different address. Or thieves could offer citizens a special rate on their loan and ask them to click on a malicious web link, or otherwise confuse them enough so they just send them their money.

So despite Vertafore’s reassurances that they are “not aware of any way this information could be used to commit fraud,” the breach is worrisome enough. But it also exposes something equally troubling: The state doesn’t respect the privacy of its citizens or it wouldn’t be selling our data.

As Lieber reported in 2015, several state government departments sell information to outsiders, with the Texas Department of Motor Vehicles earning $2.4 million in sales in 2014. And the DMV made more than $3 million in 2019 selling drivers’ names, addresses, phone numbers, email addresses and VIN information, according to a report this year from CBS 11/KTVT reporter Brian New.

But while the outside parties our state sells our data sets to are not allowed to use it for marketing purposes, some of those companies then resell that information to companies that do use it to sell to and agitate citizens.

“If you get a boatload of calls, for example, like I do, trying to sell me an extended car warranty, you can thank the state,” Lieber writes.

The Legislature needs to change the law in its 2021 session to ensure Texas — like many other states — can no longer sell this data. At the very least, lawmakers could decide to give citizens privacy statements and allow them to opt out of the information sold, as residents of California were recently allowed to do.

Until then, we can thank our elected officials for all the unwanted spam email, snail mail and phone calls we get based on information about us that outside companies bought from the state.

And while the FBI and Texas Attorney General Ken Paxton’s office are investigating the situation, one commenter on a post on bloggers network Security Boulevard recommended that the DMV issue 28 million new licenses with new numbers and invalidate the old ones, further suggesting, “since this is likely to be an expensive and time-consuming process, they should probably sue Vertafore to make them pay for it. And while they’re at it, they should probably make sure that Vertafore is never allowed to access this data again. Realistically, none of this will happen, the compromised DL numbers will remain valid in perpetuity. … And Vertafore won’t even be fined.”

They’re right, of course.

Meanwhile, Vertafore is offering free credit monitoring and identity restoration services for one year to those who call (888) 479-3560 or visit vertafore.kroll.com. Citizens should also keep an eye on their credit report and may want to put a fraud alert on their credit accounts.

The state makes a pretty penny selling our data. Let’s just hope it doesn’t prove to be too costly for the citizens it sold out.