Insurtech company Lemonade has disclosed to the Securities and Exchange Commission (SEC) that the issue leading to the exposure of 190,000 driver’s license numbers has been addressed. In a report submitted on April 4, the company indicated that a technical glitch within its car insurance quote system was responsible for the unencrypted transmission of sensitive data via an application programming interface (API) to a third-party vendor.
The SEC filing clarifies that during the quote generation process, data is exchanged between a server and the user’s browser, which includes essential information required for the quote. However, this incident resulted in certain data being transmitted without Lemonade’s typical protective measures. Consequently, the company will reach out to nearly 190,000 affected individuals whose driver’s license numbers were compromised in an unencrypted format. Upon discovering this vulnerability, Lemonade promptly implemented measures to rectify the problem.
Lemonade has assessed that, based on its current understanding of the matter, its operations remained uncompromised, and customer data was not intentionally targeted. The company has classified the incident as not material and indicated it will comply with regulatory notification requirements as mandated by law.
Queries regarding the incident posed to Lemonade by Repairer Driven News went unanswered before publication. Meanwhile, Security Week reports that notification letters have been dispatched to various state regulators detailing the breach, which transpired between April 2023 and September 2024.
The notification letter reportedly indicates, “We have no evidence to suggest that your driver’s license number has been misused, but we are providing this notice as a precaution to inform potentially affected individuals and to outline steps they can take to protect themselves.” Additionally, impacted individuals will be offered one year of complimentary credit monitoring and identity protection services.
Earlier in March, Lemonade announced that it had exceeded $1 billion in In Force Premium (IFP), a noteworthy achievement occurring just 8.5 years after the company sold its first policy. This growth, reflected in a approximately 150% compound annual growth rate, has been attributed to the company’s commitment to technology, a diversified product portfolio, and a focus on enhancing the customer experience.
Lemonade has also expanded its car insurance offerings to Colorado, thereby increasing its reach to approximately 40% of the U.S. car insurance market. In a previous incident, the New York-based firm agreed in 2022 to a $4 million settlement regarding a class action lawsuit that alleged improper collection and storage of biometric data.
At the upcoming Collision Industry Conference (CIC) meeting, the Data Access, Privacy & Security Committee is scheduled to address data vulnerabilities during a session titled “From Threat to Safety: Navigating Data Vulnerability and Mitigation Practices.” This session promises to delve into the implications of cyberattacks and the strategies available for their detection, prevention, and response, highlighting the universal risk posed to businesses of all sizes.
This incident serves as a reminder in our technology-reliant landscape that no entity is immune to cyber vulnerabilities, from small business owners to large multi-service organizations.
Images
Featured image credit: Just_Super/iStock
Share This:
