US insurer AssuranceAmerica has confirmed a data breach affecting the personal information and driver’s license numbers of 6.9 million people, making it the largest known leak of Americans’ driver’s license information this year.
Founded in 1998, AssuranceAmerica provides auto and rental insurance to customers in more than a dozen US states. As a major insurance provider, the company manages a large amount of information about prospective insurance customers and vehicle drivers, including their personal and state-issued driver’s license information. In the hands of a malicious person, a driver’s license number can be used for fraud and impersonation.
In a data breach notification sent to customers and featured by TechCrunchAssuranceAmerica said it discovered hackers on its computer systems on March 17. The company completed its investigation on June 15, finding that the hackers had stolen customer names, contact information and driver’s license numbers.
The breach notification said the hackers also took information about customers’ insurance policies and car accounts, their drivers and vehicles, as well as details about customer claims.
The company did not provide details on the other types of personal information obtained.
AssuranceAmerica did not specify the specific cause of the breach, but noted that the hackers “targeted one of the Company’s employees” and that the company subsequently “disabled the compromised credentials.” It’s unclear how these credentials were stolen, but previous incidents involving stolen employee credentials have been linked to password-stealing malware or the use of compromised software.
TechCrunch sent questions about the incident to AssuranceAmerica CEO Joe Skruck and founder Guy Millner, including whether the company had any contact with the hackers or paid a ransom. Neither of them answered.
According to a data breach listing with the Indiana attorney general’s office, AssuranceAmerica listed the breach as affecting 6.99 million people, with notification letters sent out on July 10.
A separate copy of AssuranceAmerica’s data breach notification, shared by the Maine attorney general’s office at TechCrunch’s request, also puts the number of people affected at 6.99 million. (Maine’s data breach portal is currently offline and under review after a fraudulent breach disclosure posted on its website last month.)
The incident at AssuranceAmerica follows a series of data breaches affecting driver’s licenses and other identification documents in recent months. In June, Texas state government said hackers stole information on at least 3 million driver’s license and passport numbers during a data breach that affected the state’s parks and wildlife department.
TechCrunch has previously reported on several security breaches that together leaked millions of government-issued identity documents, including incidents with a hotel check-in system, a money transfer app, a prison payphone provider and a UK visa service. These data leaks come as websites and apps increasingly require web users to hand over their ID documents to prove they are legally old enough to access them, amid a global push by governments to introduce age verification laws.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
