Geico, the second-largest auto insurer in the U.S., has suffered a data breach, threat actors exploited a now-fixed bug in their website to steal the driver’s licenses for policyholders for several weeks.
Geico provided coverage for more than 24 million motor vehicles owned by more than 15 million policy holders as of 2017.
“We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website. We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.” reads the data breach notification filed by Geico with the California Attorney General’s office.
The auto insurer revealed that attackers used information obtained from other data breaches to obtain info on its policyholders, the company fears that crooks could use the driver’s license number to apply for unemployment benefits on behalf of the policy holder’s name.
Once discovered the security breach, Geico secured the website and launched an investigation into the incident to determine the root cause. The company also announced the implementation of additional security enhancements to help prevent future fraud and illegal activities on our website.
At the time of this writing, the company has yet to determine which drivers have been impacted for this reason it would like to offer its customers a one-year subscription to IdentityForce to help protect their identity from theft.
Geico is recommending customers remain vigilant about unsolicited emails from their state’s unemployment agency and report to the agency any suspicious activity.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Geico)