Geico has filed a data breach notice with the California attorney general’s office, admitting that fraudsters had stolen customers' driver's license numbers from its website. In the notice, discovered by TechCrunch, the American auto insurance titan said that from January 21st to March 1st this year, bad actors infiltrated its website using information on its customers that they acquired elsewhere. They then accessed the victims' driver's license information through the website's online sales system.
The company didn't say how many individuals' license details were stolen. As TechCrunch notes, though, California's AG office requires entities to file a data breach notice when at least 500 residents were affected in a security incident. Geico says it has reason to believe that the fraudsters could use the stolen information to apply for unemployment benefits in their name. Authorities usually require a government ID, such as driver's licenses, to be able to apply for unemployment — that means stolen names and addresses from other sources wouldn't be enough.
Geico explained that it secured its website and worked to identify the root cause of the incident as soon as it became aware of the issue. However, it didn't reveal what that root cause was in the notice. It wrote in the notice it's sending affected customers: "If you receive any mailings from your state's unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed." The company is also giving affected customers a one-year subscription to IdentityForce to protect themselves from identify theft.