The second-largest auto insurer in the US, the one with the cute little gecko from the TV commercials that you’re all familiar with, has been hit by a data breach.
Geico has disclosed that a security incident occurred between January 21 and March 1 of this year, per a notice filed with the California attorney general’s office. Unfortunately, this breach that lasted for a little more than a month appears to have exposed the driver’s license numbers of an unspecified number of Geico customers. The official notice reads, in part: “Fraudsters used information about you — which they acquired elsewhere — to obtain unauthorized access to your driver’s license number through the online sales system on our website. We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”
While we noted that the number of affected customers has not been specified, we do at least know the bare minimum number that’s been affected. According to California law, “any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach” has to also file a notice with the state attorney general’s office. That was done in this case, which implies that more than 500 customers were affected.
Can't wait to see how the GEICO Gecko spins this: "I can lose millions of licenses in just 15 minutes!" https://t.co/staalAhT4s
— Lance Ulanoff (@LanceUlanoff) April 19, 2021
Geico’s suspicion is that the driver’s license numbers might be put to use for a specific purpose. The company has told customers that it has “reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.” Though it’s not clear how far they would get, since a number of US states require that a government ID be presented, and not simply a number, when someone files for unemployment benefits. “As soon as GEICO became aware of the issue, we secured the affected website and worked to identify the root cause of the incident,” Geico added in communication with customers about this incident.
“While we regularly maintain high security and privacy standards, we have also implemented — and continue to implement — additional security enhancements to help prevent future fraud and illegal activities on our website.”
This all calls to mind other data breach incidents we’ve covered, including one that we reported back in February, involving word that California state residents may have had their personal data stolen via a cyberattack on a vendor associated with the California Department of Motor Vehicles. According to a warning from the state’s DMV, more than a year’s worth of customer data that includes license plate numbers and individual addresses may have been compromised via the data breach. The breach targeted Automatic Funds Transfer Services, a financial services and data management company that contracts for services with California’s DMV, which the DMV has used to verify car owners’ change of address.