"As soon as Geico became aware of the issue, we secured the affected website and worked to identify the root cause of the incident," said Sheila King, manager of data privacy at Geico, in an April 9th letter to affected customers. (Photo: Jonathan Weiss/Shutterstock)
A security breach at Geico, the second-largest auto insurer in the U.S., allowed fraudsters to access customers' driver's license numbers in an attempt fraudulently apply for unemployment benefits, the carrier said in a recent letter.
In an April 9th notice to affected customers and the California attorney general's office, Sheila King, Geico's manager of data privacy, said that between January 21 and March 1, 2021, criminals accessed driver's license numbers through the company's online sales platform using information illegally acquired elsewhere. That information, Geico believes, could be used to apply for unemployment benefits under the victims' names.
"If you receive any mailings from your state's unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed," King added.
Although the insurer did not specify how many consumers were affected, California law requires companies to alert the state's attorney general when a data breach impacts more than 500 residents, according to the Coalition Against Insurance Fraud.
The breach of Geico's online sales system is not a new phenomenon. A report from identity security firm Sontiq found that carriers' automated quoting websites are the primary entry point for cybercriminals to access non-public information (NPI) on customers. Sensitive data that have been compromised in these types of incidents include addresses, VINs, driver's license details and household member information.
One recent occurrence involved the startup auto insurance company Metromile, which experienced a breach in early 2021 that exposed driver's license numbers. That breach was caused by a software bug in the company's online pre-filled quote form and application process. "Based on its initial investigation, Metromile determined that unknown persons exploited the software bug to obtain personal information of certain individuals, including individuals' driver's license numbers, but, at this time, no customer data has been compromised," the company said in an SEC filing.
According to Tim Sadler, CEO and co-founder of security software firm Tessian, bad actors can use driver's license numbers to manufacture fake IDs or exploit the information to craft elaborate social engineering phishing attacks.
While committing unemployment benefits fraud appears to be the motive in Geico's case, Sadler notes other ways scammers can abuse personal information: "In other cases, a scam using these driver's license numbers could look like an email that impersonates the DMV, requesting the person verify their driver's license number, car registration or insurance information, and then inserting a malicious link or attachment into the email," he said. "From there, in addition to applying for that person's unemployment benefits, the cybercriminal could steal sensitive identity information or wire money to fraudulent accounts."
Although Geico announced that it fixed the security bug that led to the breach, Sadler warns that these recent events prove driver's license numbers are in high demand.
To prevent the exposure of sensitive personal data, Sadler recommends password best practices, including not reusing old passwords, avoiding the same password on multiple websites, and not using passwords containing personal information like the names of children or pets. "We're seeing hackers skim social media more and more to glean insights that could be used to guess passwords," he cautioned.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.