TechCrunch has reported that Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers’ driver’s license numbers from its website.
A data breach notice filed with the California attorney general’s office said information gathered from other sources was used to “obtain unauthorized access to your driver’s license number through the online sales system on our website.” According to TechCrunch, Geico did not say how many customers were affected by the breach but said the fraudsters accessed customer driver’s license numbers between January 21 and March 1. Companies are required to alert the state’s attorney general’s office when more than 500 state residents are affected by a security incident. Geico said it had “reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”
<p>The customer data theft from Geico is a stark reminder of security bugs and vulnerabilities with typical websites. According to Verizon’s Data Breach Investigations Report, approximately 81% of data breaches occur due to poor passwords or compromised credentials. Traditional Two-factor Authentication (2FA) is also vulnerable to \"man-in-the middle” or MITM attacks. Companies can and should embrace passwordless methods like \"phone as a token\" or FIDO2 to improve security and reduce dependence on passwords. Also an added benefit is that such technologies are easier to use which improves the overall user experience.</p>
<p>This is infuriating. Geico is essentially skirting blame for this breach, and worse – making the victims take responsibility for protecting their driver\’s license number from being used to fraudulently apply for unemployment benefits. In the notice of breach letter, Geico states, \"fraudsters used information about you – which they acquired elsewhere…\" What information exactly and from where? Geico either doesn\’t know or won\’t say. In response, they are offering 1 year of free identity-theft protection, but that doesn\’t address the unemployment benefits fraud that they admit is the imminent threat. Geico customers must monitor state unemployment communications and contact the agency if they experience a problem. Do you know how hard it is to contact any US state unemployment agency during a pandemic? It\’s a nightmare and overwhelmingly time-consuming. There are better ways to protect customers from fraud. Security analytics can detect and stop fraudsters before they drive off with your PII.</p>
<p>This most recent data breach of personal information leaked by Geico is a good reminder to organizations to check for some of the most common application security issues in their public facing web applications. In this case, it appears a misconfiguration contributed to the issue, and misconfiguration of a site is one of the most common issues causing a vulnerability. The other two most common problems leading to web application compromise are unpatched software and vulnerabilities in application code. The best way to defend against attacks against existing and undetected vulnerabilities is to keep your software up to date, and deploy RASP (Runtime Application Self-Protection) technology to actively monitor the application during runtime.</p>
<p>Insurance companies deal with more sensitive data than many other financial firms, including data acquired from quoting new prospects, handling multi-party claims, and deep risk analytics. Consequently, personal data is pervasive across the insurance supply chain, and at risk of compromise if not protected end-to-end from agents through operational claims platforms and on to corporate risk analytic platforms with modern data-centric approaches as used by leading insurance firms. Driver’s license data is particularly sensitive and its disclosure may result in fraudulent insurance or a line of credit, significantly impacting consumer trust for affected individuals. While it’s not clear yet how this data was leaked, the breach shows that even industry leaders can succumb to data compromise from gaps in data-security effectiveness leading to breach notification.</p>