A Geico Data Breach Let Cyber Fraudsters Steal Customers’ Driver’s Licence Numbers

A Geico Data Breach Let Cyber Fraudsters Steal Customers’ Driver’s Licence Numbers
Photo: David McNew, Getty Images
To sign up for our daily newsletter covering the latest news, features and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Gizmodo Australia homepage to visit whenever you need a news fix.

Car insurance giant Geico has quietly disclosed that a recent security breach allowed cyber thieves to steal customers’ driver’s licence information right off the company’s website.

The breach was made public Monday after TechCrunch noticed that the company had recently filed a breach notice with the California Attorney General’s Office — as is required by state law.

While it’s not totally clear how big the breach was, the state’s disclosure requirements are pegged to incidents affecting more than 500 state residents. We reached out to Geico and will update this story if we hear back from them.

According to their notice, a security issue sat unpatched on the company’s website for more than a month, though it’s not totally clear what the issue actually was. The issue has since been resolved, though not before an unknown amount of people had their information stolen. Geico provides the following picture of what happened:

We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorised access to your driver’s licence number through the online sales system on our website. We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.

That the data might be used for unemployment fraud is unfortunate if not totally unexpected. Throughout 2020, organised cybercrime groups targeted systems all across the country and made an amazing amount of money doing it. California’s fraudulent claims have numbered in the billions. In Washington state, a reported $US650 ($838) million was lost to “questionable claims.” Ohio allegedly paid out $US330 ($425) million. The list goes on and on.

In such schemes, cybercriminals will typically use previously leaked or stolen personal information to pretend to be someone else, in the hopes of successfully phishing state unemployment systems.

Geico has warned that if you receive information from your state system about unemployment benefits that you haven’t personally filed for, there’s a solid chance you have been targeted for identity theft. If that happens, you should “contact that agency/department if there is any chance fraud is being committed,” the company said.