An information breach at insurance coverage agency Lemonade left the main points of hundreds of drivers’ licenses uncovered for 17 months.
Based on the corporate, on March 14 2025 Lemonade learnt {that a} vulnerability in its on-line automobile insurance coverage software course of contained a vulnerability that was more likely to have uncovered “sure driver’s license numbers for identifiable people.”
Lemonade says that the unauthorised publicity began in roughly April 2024, and continued by September 2024.
The insurance coverage firm first disclosed particulars of the safety breach in official filings to the Lawyer Generals of Texas, South Carolina, and California final week, revealing that it will be contacting affected people by way of the mail.
Roughly 17,563 people in Texas and 1,950 people in South Carolina are stated to be amongst these affected.
The affected on-line course of additionally collects different data from automobile insurance coverage candidates, together with names, dates of start, and residential addresses. As The File notes, the driving license quantity is often mechanically populated within the software kind by a third-party vendor.
In Lemonade’s knowledge breach notifications being despatched to affected members of the general public, it is not clear whether or not any extra private knowledge past driver’s license numbers was compromised. Regardless, the driving license data by itself may probably be of use to criminals and fraudsters.
Lemonade says that it has resolved the vulnerability, however has not shared any particulars of how the breach occurred or the way it turned conscious that it had an issue. It’s doable that they have been tipped off to the vulnerability by a third-party who stumbled throughout the issue.
In fact, information of the existence of the vulnerability doesn’t essentially imply that it was exploited by a malicious celebration. Lemonade is at pains in its notification letter to underline that it has no proof to counsel that the uncovered driver’s license quantity particulars have been abused by criminals.
Nonetheless, it is higher to be secure than sorry. Impacted people are being suggested by Lemonade to comply with the corporate’s recommendations on learn how to shield themselves, together with:
- Monitoring their credit score stories and monetary accounts for suspicious or unauthorised exercise.
- Think about setting up a fraud alert or freeze on their credit score file.
- Reporting any suspicious actions or unauthorised transactions instantly to native regulation enforcement and monetary establishments.
This isn’t the primary time Lemonade has discovered itself within the headlines concerning the way it handles buyer knowledge.
Again in Could 2021, a “flaw” was found that allowed anybody to view different customers’ account particulars simply through the use of a search engine. Lemonade countered by claiming that the issue was not likely a safety vulnerability.
In the identical 12 months, Lemonade discovered itself going through allegations that it had made false statements about its assortment of consumers’ biometric knowledge and use of facial recognition and AI know-how.
In response to the latest breach, Lemonade has taken steps to repair the vulnerability and is providing non permanent identification safety providers to affected clients. Nonetheless, the corporate has not disclosed the overall variety of people impacted or detailed how the breach was found. 
