American auto insurance provider GEICO has disclosed a cyber-incident that resulted in driver’s license numbers being compromised.
A wholly owned subsidiary of Berkshire Hathaway, the Government Employees Insurance Company (GEICO) is the second largest car insurer in the United States, but also offers property insurance.
In a data breach notification to impacted individuals, the company reveals that, between January 21 and March 1, 2021, using customer information acquired elsewhere, fraudsters managed to gain unauthorized access to driver’s license numbers by abusing the online sales system on Geico’s website.
“We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name,” Geico says in a breach notification submitted to the website of California’s Attorney General last week.
According to the company, no other information related to its customers has been compromised in the incident, and there’s no saying whether the stolen data will indeed be used fraudulently, but users should still remain vigilant.
“If you receive any mailings from your state’s unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed,” the company says.
The stolen information could aid attackers in performing fraud or identity theft, but such attempts may be spotted by looking for unauthorized activity in account statements and credit reports.
Geico hasn’t provided information on the number of affected customers. SecurityWeek has contacted the company for more details on the matter and will update the article if a reply arrives.
“Companies need to understand that access management is the fundamental control to help IT professionals achieve security, compliance and privacy requirements for their organization’s valuable data in the cloud,” James Herbert, Solution Engineering Manager, OneLogin, said in an emailed comment.
Herbert added, “In order to protect against the vast quantities of stolen identity information readily available to threat actors, follow these practical tips: activate Multi-Factor Authentication (MFA) and apply contextual risk analysis to detect suspicious behavior to adequately verify a user before providing any sensitive information. Security and access by design remain the key to reducing today’s threat landscape.”