Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let bad actors steal customers’ driver’s license numbers from its website.

Auto Insurer Data breach

Geico suffered a data leak earlier this year that exposed customers’ driver’s license numbers for more than a month, according to a data breach notice filed with the attorney general of California. First reported by TechCrunch, Geico says in the notice that it has fixed the security issue that led to the breach.

The filing, first obtained and reported by online newspaper TechCrunch included a message sent to some Geico customers on April 9 that, stating that “We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website,” the notice reads. “We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”

This report doesn’t say the amount of clients that may have been affected or whether the breach was only on California. But California law states that “any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach” must submit a copy of the notice to the attorney general’s office.

“We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name,” added Geico, the second-largest auto insurer in the country.

In the notice sent to customers who were affected, Geico urged vigilance and offered a 1-year subscription to IdentifyForce, an “identity-theft protection service.” Geico explained in the notice that it did not know for certain whether the customer’s drivers license number had been used, but that it was a possibility.

Fraudulent claims for unemployment benefits

Some states reported an increase in fraudulent claims last spring, which were discovered when people began receiving notifications about unemployment benefits for which they never applied. Most US states require identification such as a driver’s license to file for unemployment benefits.

By November of last year, the US Department of Labor’s Office of Inspector General estimated that states paid out up to $36 billion in “improper benefits,” with much of the impropriety attributed to fraud, according to the report.

If you are a Geico customer and you’ve received correspondence (email) from your state government and haven’t filed for unemployment benefits, there’s a good chance your personal data may have been used fraudulently.