A safety breach at Geico, the second-largest auto insurer within the U.S., allowed fraudsters to entry prospects’ driver’s license numbers in an try fraudulently apply for unemployment advantages, the provider stated in a current letter.
In an April ninth discover to affected prospects and the California legal professional basic’s workplace, Sheila King, Geico’s supervisor of knowledge privateness, stated that between January 21 and March 1, 2021, criminals accessed driver’s license numbers by means of the corporate’s on-line gross sales platform utilizing data illegally acquired elsewhere. That data, Geico believes, may very well be used to use for unemployment advantages below the victims’ names.
“In the event you obtain any mailings out of your state’s unemployment company/division, please assessment them fastidiously and make contact with that company/division if there may be any probability fraud is being dedicated,” King added.
Though the insurer didn’t specify what number of customers have been affected, California regulation requires corporations to alert the state’s legal professional basic when an information breach impacts greater than 500 residents, based on the Coalition Towards Insurance coverage Fraud.
The breach of Geico’s on-line gross sales system is just not a brand new phenomenon. A report from identification safety agency Sontiq discovered that carriers’ automated quoting web sites are the first entry level for cybercriminals to entry private data (NPI) on prospects. Delicate knowledge which have been compromised in most of these incidents embrace addresses, VINs, driver’s license particulars and family member data.
One current prevalence concerned the startup auto insurance coverage firm Metromile, which skilled a breach in early 2021 that uncovered driver’s license numbers. That breach was brought on by a software program bug within the firm’s on-line pre-filled quote kind and utility course of. “Based mostly on its preliminary investigation, Metromile decided that unknown individuals exploited the software program bug to acquire private data of sure people, together with people’ driver’s license numbers, however, right now, no buyer knowledge has been compromised,” the corporate stated in an SEC submitting.
In keeping with Tim Sadler, CEO and co-founder of safety software program agency Tessian, dangerous actors can use driver’s license numbers to fabricate faux IDs or exploit the data to craft elaborate social engineering phishing assaults.
Whereas committing unemployment advantages fraud seems to be the motive in Geico’s case, Sadler notes different methods scammers can abuse private data: “In different instances, a rip-off utilizing these driver’s license numbers might appear to be an electronic mail that impersonates the DMV, requesting the particular person confirm their driver’s license quantity, automobile registration or insurance coverage data, after which inserting a malicious hyperlink or attachment into the e-mail,” he stated. “From there, along with making use of for that particular person’s unemployment advantages, the cybercriminal might steal delicate identification data or wire cash to fraudulent accounts.”
Though Geico introduced that it mounted the safety bug that led to the breach, Sadler warns that these current occasions show driver’s license numbers are in excessive demand.
To forestall the publicity of delicate private knowledge, Sadler recommends password greatest practices, together with not reusing outdated passwords, avoiding the identical password on a number of web sites, and never utilizing passwords containing private data just like the names of youngsters or pets. “We’re seeing hackers skim social media an increasing number of to glean insights that may very well be used to guess passwords,” he cautioned.