Car insurance giant Geico has quietly disclosed that a recent security breach allowed cyber thieves to steal customers’ driver’s license information right off the company’s website.
The breach was made public Monday after TechCrunch noticed that the company had recently filed a breach notice with the California Attorney General’s Office—as is required by state law.
While it’s not totally clear how big the breach was, the state’s disclosure requirements are pegged to incidents affecting more than 500 state residents. We reached out to Geico and will update this story if we hear back from them.
According to their notice, a security issue sat unpatched on the company’s website for more than a month, though it’s not totally clear what the issue actually was. The issue has since been resolved, though not before an unknown amount of people had their information stolen. Geico provides the following picture of what happened:
We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website. We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.
That the data might be used for unemployment fraud is unfortunate if not totally unexpected. Throughout 2020, organized cybercrime groups targeted systems all across the country and made an amazing amount of money doing it. California’s fraudulent claims have numbered in the billions. In Washington state, a reported $650 million was lost to “questionable claims.” Ohio allegedly paid out $330 million. The list goes on and on.
In such schemes, cybercriminals will typically use previously leaked or stolen personal information to pretend to be someone else, in the hopes of successfully phishing state unemployment systems.
Geico has warned that if you receive information from your state system about unemployment benefits that you haven’t personally filed for, there’s a solid chance you have been targeted for identity theft. If that happens, you should “contact that agency/department if there is any chance fraud is being committed,” the company said.