A letter submitted by insurance company Geico to the California attorney general’s office details a data breach that took place earlier this year, exposing customers’ driver’s license numbers. The letter doesn’t include certain pertinent details such as how many people were potentially impacted by the security issue, though it did note the numbers may be used as part of unemployment benefits fraud.
The letter, which was first spied by TechCrunch, is dated April 9 and explains that the security incident took place from January 21 to March 1. During that time, the hacker(s) used customer data “acquired elsewhere” to get access to Geico subscribers’ driver’s license numbers using the company’s online sales system.
The company’s letter explains that it believes “this information could be used to fraudulently apply for unemployment benefits” in the customers’ names. For this reason, Geico customers who receive any unexpected mail from their state’s unemployment agency are encouraged to check it for signs of fraud taking place in their name.
Geico notes that it secured its website when it learned about the issue and that it investigated the cause of the breach. The company’s letter says that Geico has “implemented — and continues to implement — additional security enhancements to help prevent future fraud and illegal activities on our website.”
The company hasn’t yet published a security breach note on its website, but the letter is written to customers and explains that they will be offered a year’s subscription to IdentityForce for identity theft protection. The letter, it seems, includes a one-time code the customers can use to activate the free data monitoring service.