Lemonade, an insurance firm based in New York, recently revealed a data breach that exposed driver’s license numbers. The breach occurred between April 2023 and September 2024 due to a vulnerability in their online insurance application platform. The vulnerability allowed unauthorized access to sensitive information, including driver’s license numbers, which were automatically populated by a third-party vendor during the application process. Lemonade discovered the breach in March 2025 and promptly began notifying affected individuals.
The breach impacted thousands of users, with at least 17,563 people in Texas and 1,950 people in South Carolina affected. However, the total number of victims and states involved remains unclear. In response, Lemonade offered temporary identity protection services to those impacted, though it did not clarify the exact steps taken to resolve the vulnerability. The company has yet to disclose how it was initially alerted to the issue or how many individuals were affected overall.
While Lemonade emphasized that there is no evidence the exposed data was misused, the breach highlights growing concerns about identity theft. Cybercriminals have previously targeted similar platforms, using stolen driver’s license numbers for fraudulent activities, including scams and identity theft. In fact, a similar issue resulted in a fine for insurance giants Geico and Travelers, who were fined more than $11 million for exposing driver’s license numbers of 120,000 New Yorkers through a similar online application process.
This breach follows a trend of cyberattacks targeting insurance platforms that pre-fill customer information, exposing sensitive data. Hackers exploited these vulnerabilities to steal personal information and carry out fraudulent activities, such as filing fake unemployment claims. Lemonade’s breach underscores the risks posed by such vulnerabilities and the ongoing challenges companies face in protecting personal data from increasingly sophisticated cybercriminals.
Reference:
