A knowledge breach at insurance coverage agency Lemonade left the small print of 1000’s of drivers’ licenses uncovered for 17 months.
In keeping with the corporate, on March 14 2025 Lemonade learnt {that a} vulnerability in its on-line automotive insurance coverage utility course of contained a vulnerability that was prone to have uncovered “sure driver’s license numbers for identifiable people.”
Lemonade says that the unauthorised publicity began in roughly April 2024, and continued by September 2024.
The insurance coverage firm first disclosed particulars of the safety breach in official filings to the Legal professional Generals of Texas, South Carolina, and California final week, revealing that it might be contacting affected people by way of the mail.
Roughly 17,563 people in Texas and 1,950 people in South Carolina are mentioned to be amongst these affected.
The affected on-line course of additionally collects different info from automotive insurance coverage candidates, together with names, dates of start, and residential addresses. As The File notes, the driving license quantity is often routinely populated within the utility kind by a third-party vendor.
In Lemonade’s information breach notifications being despatched to affected members of the general public, it is not clear whether or not any extra private information past driver’s license numbers was compromised. Regardless, the driving license info by itself might doubtlessly be of use to criminals and fraudsters.
Lemonade says that it has resolved the vulnerability, however has not shared any particulars of how the breach occurred or the way it turned conscious that it had an issue. It’s doable that they have been tipped off to the vulnerability by a third-party who stumbled throughout the issue.
In fact, information of the existence of the vulnerability doesn’t essentially imply that it was exploited by a malicious social gathering. Lemonade is at pains in its notification letter to underline that it has no proof to counsel that the uncovered driver’s license quantity particulars have been abused by criminals.
Nonetheless, it is higher to be secure than sorry. Impacted people are being suggested by Lemonade to observe the corporate’s tips about easy methods to defend themselves, together with:
- Monitoring their credit score reviews and monetary accounts for suspicious or unauthorised exercise.
- Take into account setting up a fraud alert or freeze on their credit score file.
- Reporting any suspicious actions or unauthorised transactions instantly to native regulation enforcement and monetary establishments.
This isn’t the primary time Lemonade has discovered itself within the headlines relating to the way it handles buyer information.
Again in Might 2021, a “flaw” was found that allowed anybody to view different customers’ account particulars simply by utilizing a search engine. Lemonade countered by claiming that the issue was not likely a safety vulnerability.
In the identical 12 months, Lemonade discovered itself dealing with allegations that it had made false statements about its assortment of consumers’ biometric information and use of facial recognition and AI know-how.
In response to the current breach, Lemonade has taken steps to repair the vulnerability and is providing non permanent id safety companies to affected prospects. Nonetheless, the corporate has not disclosed the entire variety of people impacted or detailed how the breach was found. 
