Threat actors stole driver license numbers from customers of GEICO insurance for nearly two months earlier this year due to a security flaw on its website that has since been fixed.
The second-largest auto insurance provider in the United States disclosed the vulnerability in a data breach notice filed earlier this month with the California attorney general’s office. Companies in the state are required to provide notice of data breaches to the AG within three months of their discovery.
The notice came in the form of a letter to clients who may have been affected by the breach signed by Sheila King, manager for data privacy of the GEICO Privacy Team. In it, she wrote that cybercriminals obtained access to the customer’s driver license from the online sales system using of the company’s website between January 21, 2021 and March 1, 2021.