Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Security

Geico Admits Fraudsters Stole Customers' Driver's License Numbers For Months (techcrunch.com) 21

Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers' driver's license numbers from its website. From a report: In a data breach notice filed with the California attorney general's office, Geico said information gathered from other sources was used to "obtain unauthorized access to your driver's license number through the online sales system on our website." The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver's license numbers between January 21 and March 1. Companies are required to alert the state's attorney general's office when more than 500 state residents are affected by a security incident. Geico said it had "reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID -- like a driver's license -- to file for unemployment benefits. To get a driver's license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer's driver's license number. That allows the fraudsters to obtain unemployment benefits in another person's name.
This discussion has been archived. No new comments can be posted.

Geico Admits Fraudsters Stole Customers' Driver's License Numbers For Months

Comments Filter:
  • by nospam007 ( 722110 ) * on Tuesday April 20, 2021 @01:45PM (#61294740)

    ...if you're giving it away.

  • you get an free gecko coupon and your rate is going up as we see that you are on unemployment

  • You see many doctors will treat families of other doctors for free on a sort of professional courtesy. Or at least they used to, long time ago, may be when patients were paying the doctors with live chicken or a pot roast.

    Anyway, I digress. The 15 minutes can save 15% tag line is such a fraud, it would be quite understandable if it looked at other fraudsters with some admiration and gave them a sort of professional courtesy ...

  • May be a victim (Score:5, Interesting)

    by The-Ixian ( 168184 ) on Tuesday April 20, 2021 @01:55PM (#61294784)

    I was contacted by my company's HR department last week that they had received an unemployment benefit request from the state in my name.

    Obviously, we reported it as fraud, but I was curious as to where they got the information from. Now, it looks like I know as I am a GEICO customer.

    Funny though that GEICO has not contacted me at all about this yet.

    • by ytene ( 4376651 )
      I'd agree with you... the probability is high that it was the Geico breach that resulted in someone applying for unemployment in your name.

      But as to why Geico didn't notify you... Well, depending on just how badly they got pwned, they might not know.

      For example... if the data was breached by a hacker leveraging an application layer vulnerability, there is a chance that a half-decent developer put some form of audit trail in the application to record activity. But if the attacker was able to bypass the
      • You'd think that they would notify all their customers in the case where they wouldn't be able to definitively identify the victims.

        • by ytene ( 4376651 )
          They could be in a damned-if-they-do, damned-if-they-don't position right now.

          For example, if they notify *everyone*, then they're essentially conceding that they don't know whose data was taken, which makes a shareholder/customer case for negligence that much easier to prove. Maybe - and I have no idea either way, their actions are being taken defensively, wary of being caught in legal cross-hairs.
  • And no one will be held accountable as always. Only one that would be punished is hacker (if ever cought)
  • So? (Score:5, Informative)

    by Crash Gordon ( 233006 ) on Tuesday April 20, 2021 @02:14PM (#61294860)

    In several states your driver's license number is created [highprogrammer.com] entirely from publicly available information; to wit (e.g. in Illinois): First, middle, last names, birth date, and gender. If I know these things about you, I can accurately generate your Illinois driver's license number. So there's no particular reason to steal the numbers from a website.

    The names are soundex-ed which is not perfectly reversible, but the birthdate and gender can be extracted from the license number.

    • by smap77 ( 1022907 )

      A number of states are similar--nothing special about the DL number. The checksum calculation (if existing) is typically trivial and publicly available.

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Tuesday April 20, 2021 @02:21PM (#61294882) Homepage Journal

    My lady got hit by some twat who clearly dodged a stop sign just so she could run into her getting on the freeway. You can tell from vehicle photos alone that the other driver was at fault. GEICO sent her a letter before she even made a claim saying that they denied her any claim because she broke the law, which she obviously did not. Again, you can tell from photos alone who hit who. They sent the letter before even seeing the police report.

    GEICO is a criminal conspiracy to defraud.

  • The other 85% is just fucked.

  • Yuck. GEICO. I used to be a customer. I learned the hard way.

Keep up the good work! But please don't ask me to help.

Working...