Geico Admits Fraudsters Stole Customers' Driver's License Numbers For Months (techcrunch.com) 21
Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers' driver's license numbers from its website. From a report: In a data breach notice filed with the California attorney general's office, Geico said information gathered from other sources was used to "obtain unauthorized access to your driver's license number through the online sales system on our website." The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver's license numbers between January 21 and March 1. Companies are required to alert the state's attorney general's office when more than 500 state residents are affected by a security incident. Geico said it had "reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID -- like a driver's license -- to file for unemployment benefits. To get a driver's license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer's driver's license number. That allows the fraudsters to obtain unemployment benefits in another person's name.
It's not stealing (Score:3)
...if you're giving it away.
Re: (Score:2)
Re: (Score:1)
Clearly the data is missing - the Driver's Licence numbers are no longer present _anywhere_ but at the location preferred by the thieves.
you get an free gecko coupon and your rate is goin (Score:2)
you get an free gecko coupon and your rate is going up as we see that you are on unemployment
Kind of understandable ... (Score:1)
Anyway, I digress. The 15 minutes can save 15% tag line is such a fraud, it would be quite understandable if it looked at other fraudsters with some admiration and gave them a sort of professional courtesy ...
Re: (Score:2)
May be a victim (Score:5, Interesting)
I was contacted by my company's HR department last week that they had received an unemployment benefit request from the state in my name.
Obviously, we reported it as fraud, but I was curious as to where they got the information from. Now, it looks like I know as I am a GEICO customer.
Funny though that GEICO has not contacted me at all about this yet.
Re: May be a victim (Score:2)
Re: (Score:2)
Marian, Sehlat, and Hogwart's. That's just for Geico, of course. Curiously enough, my mother had many maiden names, I had lots of childhood pets, and I went to dozens of middle schools, so every website has unique information. No one except the government is really sure when I was born either. Thanks for asking.
Re: (Score:3)
But as to why Geico didn't notify you... Well, depending on just how badly they got pwned, they might not know.
For example... if the data was breached by a hacker leveraging an application layer vulnerability, there is a chance that a half-decent developer put some form of audit trail in the application to record activity. But if the attacker was able to bypass the
Re: (Score:2)
You'd think that they would notify all their customers in the case where they wouldn't be able to definitively identify the victims.
Re: (Score:2)
For example, if they notify *everyone*, then they're essentially conceding that they don't know whose data was taken, which makes a shareholder/customer case for negligence that much easier to prove. Maybe - and I have no idea either way, their actions are being taken defensively, wary of being caught in legal cross-hairs.
Oh noo! (Score:2)
So? (Score:5, Informative)
In several states your driver's license number is created [highprogrammer.com] entirely from publicly available information; to wit (e.g. in Illinois): First, middle, last names, birth date, and gender. If I know these things about you, I can accurately generate your Illinois driver's license number. So there's no particular reason to steal the numbers from a website.
The names are soundex-ed which is not perfectly reversible, but the birthdate and gender can be extracted from the license number.
Re: (Score:1)
A number of states are similar--nothing special about the DL number. The checksum calculation (if existing) is typically trivial and publicly available.
GEICO is the fraudster (Score:3, Interesting)
My lady got hit by some twat who clearly dodged a stop sign just so she could run into her getting on the freeway. You can tell from vehicle photos alone that the other driver was at fault. GEICO sent her a letter before she even made a claim saying that they denied her any claim because she broke the law, which she obviously did not. Again, you can tell from photos alone who hit who. They sent the letter before even seeing the police report.
GEICO is a criminal conspiracy to defraud.
Save 15% (of your PII) by switching to GEICO (Score:1)
The other 85% is just fucked.
yuck (Score:2)
Yuck. GEICO. I used to be a customer. I learned the hard way.