An information breach at insurance coverage agency Lemonade left the main points of hundreds of drivers’ licenses uncovered for 17 months.
In keeping with the corporate, on March 14 2025 Lemonade learnt {that a} vulnerability in its on-line automobile insurance coverage utility course of contained a vulnerability that was more likely to have uncovered “sure driver’s license numbers for identifiable people.”
Lemonade says that the unauthorised publicity began in roughly April 2024, and continued by way of September 2024.
The insurance coverage firm first disclosed particulars of the safety breach in official filings to the Legal professional Generals of Texas, South Carolina, and California final week, revealing that it might be contacting affected people through the mail.
Roughly 17,563 people in Texas and 1,950 people in South Carolina are mentioned to be amongst these affected.
The affected on-line course of additionally collects different data from automobile insurance coverage candidates, together with names, dates of beginning, and residential addresses. As The File notes, the driving license quantity is usually robotically populated within the utility kind by a third-party vendor.
In Lemonade’s information breach notifications being despatched to affected members of the general public, it is not clear whether or not any extra private information past driver’s license numbers was compromised. Regardless, the driving license data by itself may doubtlessly be of use to criminals and fraudsters.
Lemonade says that it has resolved the vulnerability, however has not shared any particulars of how the breach occurred or the way it grew to become conscious that it had an issue. It’s potential that they had been tipped off to the vulnerability by a third-party who stumbled throughout the issue.
After all, information of the existence of the vulnerability doesn’t essentially imply that it was exploited by a malicious social gathering. Lemonade is at pains in its notification letter to underline that it has no proof to recommend that the uncovered driver’s license quantity particulars have been abused by criminals.
Nonetheless, it is higher to be protected than sorry. Impacted people are being suggested by Lemonade to observe the corporate’s tips about the way to defend themselves, together with:
- Monitoring their credit score stories and monetary accounts for suspicious or unauthorised exercise.
- Take into account setting up a fraud alert or freeze on their credit score file.
- Reporting any suspicious actions or unauthorised transactions instantly to native regulation enforcement and monetary establishments.
This isn’t the primary time Lemonade has discovered itself within the headlines relating to the way it handles buyer information.
Again in Could 2021, a “flaw” was found that allowed anybody to view different customers’ account particulars simply by utilizing a search engine. Lemonade countered by claiming that the issue was not likely a safety vulnerability.
In the identical yr, Lemonade discovered itself going through allegations that it had made false statements about its assortment of shoppers’ biometric information and use of facial recognition and AI know-how.
In response to the current breach, Lemonade has taken steps to repair the vulnerability and is providing short-term identification safety providers to affected clients. Nonetheless, the corporate has not disclosed the whole variety of people impacted or detailed how the breach was found. 
