Another significant data breach revealed millions of driver’s license numbers

Another significant data breach revealed millions of driver’s license numbers

U.S. insurance firm AssuranceAmerica has announced a data breach involving the personal details and driver’s license numbers of 6.9 million individuals, marking it as the most significant known leak of Americans’ driver’s license data this year.

Established in 1998, AssuranceAmerica offers car and rental insurance to clients in over a dozen U.S. states. Being a major insurance entity, the company manages extensive data concerning potential insurance clients and vehicle operators, encompassing their personal details and data regarding their state-issued driver’s licenses. In the possession of a malicious individual, a driver’s license number could facilitate fraud and impersonation.

In a data breach notification dispatched to clients and observed by TechCrunch, AssuranceAmerica revealed that it detected unauthorized access in its computer systems on March 17. The company completed its investigation on June 15, discovering that the intruders had extracted clients’ names, contact details, and driver’s license numbers. 

The breach notification stated that the hackers also accessed data concerning clients’ auto insurance policies and accounts, as well as information about their drivers and vehicles, and particulars about client claims. 

The company did not elaborate on what other types of personal data were compromised.

AssuranceAmerica did not disclose the exact reason for the breach but mentioned that the hackers “targeted one of the Company’s employees” and that the company subsequently “disabled compromised credentials.” It remains unclear how those credentials were acquired, but past incidents involving the theft of employee credentials have been associated with password-stealing malware or the use of compromised software.

TechCrunch sent inquiries regarding the situation to AssuranceAmerica CEO Joe Skruck and founder Guy Millner, including whether the company had engaged with the hackers or provided a ransom. Neither answered.

According to a data breach report filed with the Indiana attorney general’s office, AssuranceAmerica noted the breach as affecting 6.99 million individuals, with notification letters scheduled for distribution on July 10.

An alternate copy of AssuranceAmerica’s data breach notification, provided by the Maine attorney general’s office at TechCrunch’s request, also indicates the number of individuals affected is 6.99 million. (Maine’s data breach portal is currently offline and under review following a fraudulent breach disclosure published on its website last month.)

The occurrence at AssuranceAmerica coincides with a series of data breaches impacting driver’s licenses and other identity documents in recent months. In June, the Texas state government reported that hackers compromised data related to at least 3 million driver’s licenses and passport numbers during a breach affecting the state’s parks and wildlife division.

TechCrunch has previously covered numerous security flaws that collectively compromised millions of government-issued identity documents, including incidents involving a hotel check-in system, a money transfer application, a prison payphone provider, and a U.K. visa service. These data leaks arise as websites and apps increasingly require users to provide their identity documents to verify their legal age for access, amid a global initiative by governments to implement age-verification regulations.

When you buy through links in our articles, we may earn a small commission. This does not impact our editorial independence.

Leave a Reply