Data Privacy Alert: Geico Customer Data Breach and Fraudulent Unemployment Claims

Data breaches are driven by the monetization opportunities for stolen data. Many states use driver’s license numbers or other state IDs as a means of validating online identities. Naturally, this makes auto insurers a target for data theft, so that these identities can be exploited. 

At the same time, the increase in government funding for unemployment claims has made fraudulent claims more lucrative. Challenges faced by overwhelmed state unemployment systems mean the risks are lessened. This opportunity means that retail insurers such as Geico are often in the crosshairs. They are generally a target-rich environment, with many internet-facing systems that collect personal information. 

For this reason, insurance companies and brokers must invest in systems that both protect that data from harm and enable the organization to investigate, remediate and recover from incidents when they occur. Legal and compliance organizations must have an operational incident response plan, forensic investigation capabilities, and breach review services available. This is the only sensible response to the heightened risks associated with these businesses.

Overview

Insurance company Geico recently sent notifications of a data breach to its customers last week, indicating that an unknown number of driver’s license numbers were compromised during a six-week period early in the year. The notification advised Geico customers that these numbers might be used for fraudulent unemployment claims.

Download the Data Privacy Alert Here!

What You Need to Know

The data breach impacts customers (most likely auto insurance customers given that Geico says only driver’s license numbers were leaked) that were with the company from January 21, 2021 to March 1, 2021.

The company is the second-largest auto insurance provider in the United States, with some 17 million vehicle policy holders. Geico is headquartered in California and is required by state law to send out a notification such as this when an incident involves at least 500 records.

Part of the recent interest in driver’s license numbers is due to changes brought on by the pandemic, as various types of financial transactions that used to exclusively be conducted in person are transferred online. Some states are also allowing residents to use expired driver’s licenses for various purposes for an extended period, due to difficulty in securing the in person DMV appointments necessary to renew them.

Expert Analysis from Dan Sholler, Exterro Data Privacy

Data breaches are driven by profit. Any time there is a means of making money by using false identity information, it drives demand for that information, and provides an impetus for data breaches. In today’s economy, unemployment insurance fraud is a significant source of money, so thieves are searching for the kind of information that can open those doors.

Data Privacy Tip

To learn more about activating a compliant and defensible incident and data breach management strategy, check out Exterro's Basics of Data Privacy chapter on Cyber incidents and data breach management.