Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers’ driver’s license numbers from its website.
In a data breach notice filed with the California attorney general’s office, Geico said information gathered from other sources was used to “obtain unauthorized access to your driver’s license number through the online sales system on our website.”
The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver’s license numbers between January 21 and March 1. Companies are required to alert the state’s attorney general’s office when more than 500 state residents are affected by a security incident.
Geico said it had “reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”
Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID — like a driver’s license — to file for unemployment benefits. To get a driver’s license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer’s driver’s license number. That allows the fraudsters to obtain unemployment benefits in another person’s name.
Earlier this year, San Francisco-based insurance startup Metromile admitted a bug on its website was used to obtain driver’s license numbers for six months before the bug was fixed in January.
If you’ve received correspondence from your state government and haven’t filed for unemployment benefits, there’s a good chance your personal data may have been used fraudulently.
Geico spokesperson Christine Tasher did not return multiple requests for comment.