Geico discloses website bug that exposed driver's license numbers
US car insurer Geico said it plugged a bug on one of its official websites that allowed threat actors to obtain customer driver's license numbers for more than a month.
In a data breach notification filed with the California Office of Attorney General last week, the car insurer said that between January 21 and March 1, 2021, it detected exploitation attempts against its website's online sales system.
Geico said threat actors used information about its users that was already made public elsewhere to exploit a bug in its website and match the public data with that user's driver's license number that Geico had stored inside its internal database.
While the incident might look insignificant since only driver's license numbers were exposed, the auto insurer said the data could be abused by attackers to apply for unemployment benefits in the name of some of its customers.
"If you receive any mailings from your state's unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed," the car insurer said in a data breach notification [PDF] sent last week.
Geico said that as soon as it learned of the incident, it plugged the hole on its website.
A Geico spokesperson was not available for comment to provide additional details about the attacks and the number of users who had their data exposed in the attack. The insurer also didn't reply to TechCrunch, which first broke the news earlier today.
Americans lost $36 billion to unemployment fraud
The incident is in line with multiple recent studies[1, 2, 3, 4], which saw a sudden spike in online fraud after the onset of the COVID-19 pandemic and the restrictions that forced many companies to move their business online and rely more and more on their websites.
A big chunk of these fraud attacks focused on hijacking unemployment benefits from Americans.
A recent CNBC report said that scammers stole more than $36 billion from Americans via fraudulently filed unemployment benefits.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.