Geico Gecko, a major US car insurance provider, has suffered a data breach that exposed driver’s licenses for policyholders. The breach lasted for over a month before it has been addressed.
The second-largest car insurance company in the United States has handed out over 17 million policies for more than 28 million vehicles.
Geico filed a data breach notification with the California Attorney General’s office. According to the company, cybercriminals have been abusing the company’s online portal for over a month. Attackers managed to gain access to policyholder’s driver’s license numbers by leveraging customer personal details obtained elsewhere.
“We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website,” says Geico’s data breach notification.
Using leaked customer information threat actors managed to pull up info on policyholders in Geiko’s sales portal. The company did not specify what information was required to access the portal.
Geico fears the threat actors can use the stolen driver’s license number to try to apply for unemployment benefits using the policyholder’s name.
“We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”
The company further advises impacted customers to be vigilant from now on. If they receive any unexpected emails from their state’s unemployment agency, they should immediately contact the agency about a possible fraud:
“If you receive any mailings from your state’s unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed.”
Geico assures it secured the portal and added additional security measures to prevent fraud or illegal activities in the future.
For all affected policyholders Geico offers a free one-year subscription to their identity protection service.