In a data breach notice sent to customers, Geico said that a security flaw allowed hackers to swipe personally identifiable information (PII) from an estimated 132,000 of its customers between January 21 and March 1.
Geico’s data breach response
Unfortunately for both Geico and its customers, the hackers were a bit too savvy.
“We determined that … fraudsters used information about you which they acquired elsewhere to obtain unauthorized access to your driver’s license number through the online system on our website,” Geico explained to its customers.
“We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name. If you receive any mailings from your state’s unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed.”
Geico went on to say that it had secured the data breach the moment it found out about it, and it took the extra step of adding “additional security enhancements” designed to curb fraud. In the company’s mea culpa, it offered customers a complimentary one-year subscription to IdentityForce identity theft protection.
Why do hackers want driver’s license numbers?
Hackers gaining access to driver’s license numbers may not seem like a big risk, especially if it’s an isolated incident. But the truth is that this information is actually very valuable for pulling off scams.
“It’s a gold mine for hackers. With a driver’s license number, bad actors can manufacture fake IDs, slotting in the number for any form that requires ID verification, or use the information to craft curated social engineering phishing attacks,” Tim Sadler, CEO of email security firm Tessian, told data protection site CPO Magazine.
Sadler went on to say that Tessian’s monitoring of related scams grew 50% after the third round of stimulus checks was announced in late February. Most of those were different from what happened to Geico, but he cited one case in which a scam used driver's license numbers to craft an email that impersonated a state’s division of motor vehicles.
The hackers asked the recipient to verify their driver’s license number, car registration, and insurance information. The gotcha? The link where to send that information was malicious, allowing the hackers to plunge further into the victim’s personal data.