A security flaw allowed “fraudsters” to steal driver’s license numbers from Geico’s online sales system, according to a data breach notice filed with the California attorney general’s office. Geico has since fixed the vulnerability, which went unnoticed for over a month, but asks that customers look out for fraudulent unemployment applications.
The cause for this data breach is still unclear. Geico states that its online sales system was compromised using data gathered “elsewhere,” which could imply that hackers broke into accounts using login information or personal data leaked from other websites. Still, Geico says that it fixed the problem, so there may have been a bug in its sales system—the insurer’s report is just too vague.
From the Geico data breach notice:
We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you –which they acquired elsewhere — to obtain unauthorized access to your driver’s license number through the online sales system on our website. We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name. If you receive any mailings from your state’s unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed.
Unemployment fraud is a common form of identity theft that requires a driver’s license and other personally-identifying information. The fact that Geico’s is laser-focused on unemployment fraud is concerning, and suggests that hackers broke into the online sales system using customers’ personal information.
But again, we don’t know what happened because Geico’s notice is too vague. Geico hasn’t announced (or doesn’t know) how many U.S. residents were affected by the breach, though the number could be quite large. Companies are only required to notify the California attorney general’s office when over 500 state residents are affected by a data breach—and again, that’s just people who live in California.
If you’re a Geico customer, keep an eye out for any mail from your state unemployment office. Geico says that it does not know if your driver’s license number was stolen from its website, though it will give you a year of IdentityForce identity-theft protection and insurance if a fraudster files for unemployment under your name.