Breach Notification , Fraud Management & Cybercrime , Fraud Risk Management
Geico Says Driver's License Numbers Stolen From Website
Data Used for Fraudulent Unemployment ClaimsU.S. insurance giant Geico says fraudsters stole driver's license numbers from its website after they supplied personal information that they had acquired elsewhere.
See Also: Gartner Guide for Digital Forensics and Incident Response
The driver's license numbers are believed to have been used "to fraudulently apply for unemployment benefits," Geico says.
Over the last year, there has been a staggering rise in U.S. unemployment benefit fraud. The Labor Department's Office of the Inspector General estimated that between April and September 2020, as much as 10% of the $360 billion spent as part of the CARES Act, the first of three pandemic-related stimulus packages, may have been paid improperly, with a "significant portion attributed to fraud."
Geico's breach was revealed in a notice published by California's Office of the Attorney General and first reported by TechCrunch. The notice was sent to affected consumers. Organizations in California are required to notify the state of data breaches affecting 500 residents or more.
Chevy Chase, Maryland-based Geico didn't say how many people were affected or if people living in states other than California were also affected. The company did not immediately reply to a request for more information.
The company says the exposure lasted from Jan. 21 to March 1. Geico didn't provide details on the security weakness, only saying it involved "the online sales system on our website."
"As soon as Geico became aware of the issue, we secured the affected website and worked to identify the root cause of the incident," the company says. "While we regularly maintain high security and privacy standards, we have also implemented - and continue to implement - additional security enhancements to help prevent future fraud and illegal activities on our website."
Geico is offering those affected by the breach a prepaid one-year subscription to the identity theft monitoring service IdentityForce.
Not on Dark Web
So far, it doesn't appear the Geico data has turned up on the dark web, says Alex Holden, CTO of Hold Security, a Wisconsin-based consultancy that monitors dark web sources for stolen data.
A decade ago, the exposure of a driver's license number was not as serious an event, Holden says. But there's been an uptick in cybercriminal interest in driver's license numbers with the onset of pandemic restrictions limiting in-person contact. "Nobody asks you to show up at a physical location, whether it’s a bank or an unemployment office," Holden says.
Because of the lack of face-to-face interaction, organizations haven't been able to ensure that a physical driver's license actually matches a person.
Aside from fraudulent unemployment claims, driver's license numbers are useful these days for those seeking to become contractors for delivery services but who lack a valid license, Holden says.
Also, the expiration dates of licenses have been less relevant due to the pandemic. Wisconsin, for example, allowed older people to continue to use expired licenses to reduce physical traffic at renewal facilities, Holden says.
Since 2017, driver's license data for more than 150 million people in the U.S. has been compromised in data breaches, according to the Identity Theft Resource Center. In November 2020, the insurance software firm Vertafore disclosed unauthorized access to one of its databases that held driver's license data for more than 27 million Texas citizens (see: Data of 27 Million Texas Drivers Compromised in Breach).