An information breach at insurance coverage agency Lemonade left the main points of 1000’s of drivers’ licenses uncovered for 17 months.
Based on the corporate, on March 14 2025 Lemonade learnt {that a} vulnerability in its on-line automotive insurance coverage utility course of contained a vulnerability that was more likely to have uncovered “sure driver’s license numbers for identifiable people.”
Lemonade says that the unauthorised publicity began in roughly April 2024, and continued by September 2024.
The insurance coverage firm first disclosed particulars of the safety breach in official filings to the Lawyer Generals of Texas, South Carolina, and California final week, revealing that it could be contacting affected people by way of the mail.
Roughly 17,563 people in Texas and 1,950 people in South Carolina are stated to be amongst these affected.
The affected on-line course of additionally collects different info from automotive insurance coverage candidates, together with names, dates of beginning, and residential addresses. As The File notes, the driving license quantity is often robotically populated within the utility kind by a third-party vendor.
In Lemonade’s information breach notifications being despatched to affected members of the general public, it is not clear whether or not any extra private information past driver’s license numbers was compromised. Regardless, the driving license info by itself may doubtlessly be of use to criminals and fraudsters.
Lemonade says that it has resolved the vulnerability, however has not shared any particulars of how the breach occurred or the way it grew to become conscious that it had an issue. It’s doable that they had been tipped off to the vulnerability by a third-party who stumbled throughout the issue.
After all, information of the existence of the vulnerability doesn’t essentially imply that it was exploited by a malicious occasion. Lemonade is at pains in its notification letter to underline that it has no proof to recommend that the uncovered driver’s license quantity particulars have been abused by criminals.
Nonetheless, it is higher to be secure than sorry. Impacted people are being suggested by Lemonade to comply with the corporate’s recommendations on methods to shield themselves, together with:
- Monitoring their credit score experiences and monetary accounts for suspicious or unauthorised exercise.
- Contemplate setting up a fraud alert or freeze on their credit score file.
- Reporting any suspicious actions or unauthorised transactions instantly to native regulation enforcement and monetary establishments.
This isn’t the primary time Lemonade has discovered itself within the headlines relating to the way it handles buyer information.
Again in Could 2021, a “flaw” was found that allowed anybody to view different customers’ account particulars simply through the use of a search engine. Lemonade countered by claiming that the issue was probably not a safety vulnerability.
In the identical yr, Lemonade discovered itself dealing with allegations that it had made false statements about its assortment of consumers’ biometric information and use of facial recognition and AI expertise.
In response to the current breach, Lemonade has taken steps to repair the vulnerability and is providing momentary id safety companies to affected clients. Nonetheless, the corporate has not disclosed the overall variety of people impacted or detailed how the breach was found. 
