An information breach at insurance coverage agency Lemonade left the small print of 1000’s of drivers’ licenses uncovered for 17 months.
In accordance with the corporate, on March 14 2025 Lemonade learnt {that a} vulnerability in its on-line automotive insurance coverage software course of contained a vulnerability that was more likely to have uncovered “sure driver’s license numbers for identifiable people.”
Lemonade says that the unauthorised publicity began in roughly April 2024, and continued by September 2024.
The insurance coverage firm first disclosed particulars of the safety breach in official filings to the Lawyer Generals of Texas, South Carolina, and California final week, revealing that it will be contacting affected people through the mail.
Roughly 17,563 people in Texas and 1,950 people in South Carolina are stated to be amongst these affected.
The affected on-line course of additionally collects different info from automotive insurance coverage candidates, together with names, dates of delivery, and residential addresses. As The File notes, the driving license quantity is usually mechanically populated within the software type by a third-party vendor.
In Lemonade’s knowledge breach notifications being despatched to affected members of the general public, it is not clear whether or not any extra private knowledge past driver’s license numbers was compromised. Regardless, the driving license info by itself may probably be of use to criminals and fraudsters.
Lemonade says that it has resolved the vulnerability, however has not shared any particulars of how the breach occurred or the way it grew to become conscious that it had an issue. It’s potential that they have been tipped off to the vulnerability by a third-party who stumbled throughout the issue.
In fact, information of the existence of the vulnerability doesn’t essentially imply that it was exploited by a malicious social gathering. Lemonade is at pains in its notification letter to underline that it has no proof to recommend that the uncovered driver’s license quantity particulars have been abused by criminals.
Nonetheless, it is higher to be protected than sorry. Impacted people are being suggested by Lemonade to comply with the corporate’s recommendations on shield themselves, together with:
- Monitoring their credit score experiences and monetary accounts for suspicious or unauthorised exercise.
- Take into account putting in a fraud alert or freeze on their credit score file.
- Reporting any suspicious actions or unauthorised transactions instantly to native regulation enforcement and monetary establishments.
This isn’t the primary time Lemonade has discovered itself within the headlines relating to the way it handles buyer knowledge.
Again in Might 2021, a “flaw” was found that allowed anybody to view different customers’ account particulars simply through the use of a search engine. Lemonade countered by claiming that the issue was probably not a safety vulnerability.
In the identical 12 months, Lemonade discovered itself dealing with allegations that it had made false statements about its assortment of consumers’ biometric knowledge and use of facial recognition and AI know-how.
In response to the current breach, Lemonade has taken steps to repair the vulnerability and is providing momentary identification safety companies to affected clients. Nonetheless, the corporate has not disclosed the full variety of people impacted or detailed how the breach was found. 
