A Geico data breach that lasted over a month earlier this year exposed customers’ driver’s license numbers to hackers, according to a notice filed with California’s attorney general earlier this month.
The filing, first obtained and reported by online newspaper TechCrunch on Monday, included a message sent to an unspecified number of Geico customers, stating that “between January 21, 2021 and March 1, 2021, fraudsters used information about you — which they acquired elsewhere — to obtain unauthorized access to your driver’s license number through the online sales system on our website.”
“We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name,” added Geico, the second-largest auto insurer in the country.
The notice stated that Geico has "secured the affected website and worked to identify the root cause of the incident.”
“While we regularly maintain high security and privacy standards, we have also implemented—and continue to implement—additional security enhancements to help prevent future fraud and illegal activities on our website,” the data breach notice continued.
The company informed customers that the breach was limited to their driver’s license numbers and offered them a one-year subscription to the identity theft protection software IdentityForce.
“In addition to enrolling in the IdentityForce services, we encourage you to be vigilant for incidents of fraud or identity theft by reviewing your account statements and credit reports for any unauthorized activity,” Geico added.
While it is not clear how many people were affected by the breach, California law notes that “any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach” must also file a copy of the notice with the state attorney general’s office.
The Hill has reached out to Geico for additional information on the data breach.
The news comes amid a wave of reported data breaches at unemployment offices, insurance companies and other businesses across the country.
Last May, Washington state officials temporarily halted unemployment payments following a wave of fraudulent claims, and earlier this month, CareFirst BlueCross BlueShield’s Community Health Plan District of Columbia suffered a data breach carried out by what it called a “foreign cybercriminal” group in January.
The company said that the breach, which potentially impacted sensitive data, was reported to both the FBI and the Office of the Attorney General for the District of Columbia.