Insurance giant Geico mailed notifications of a data breach to its customers last week, indicating that an unknown number of driver’s license numbers were compromised during a six-week period early in the year. The notification advised Geico customers that these numbers might be used for fraudulent unemployment claims, urging them to be on the lookout for unusual or suspicious communications from the state government.
Geico data breach window runs from late January to beginning of March
The data breach impacts customers that were with the company from January 21, 2021 to March 1, 2021, most likely auto insurance customers given that Geico says no other information but the driver’s license numbers was leaked. Geico did not reveal exactly how many customers were impacted. The company is the second-largest auto insurance provider in the United States, with some 17 million vehicle policy holders. Geico is headquartered in California and is required by state law to send out a notification such as this when an incident involves at least 500 records.
The breach notification told customers that “fraudsters used information about you, which they acquired elsewhere” to access the driver’s license numbers through the company’s online sales system. The notification goes on to warn customers that fraudulent unemployment claims may have been the intended purpose of the heist, and that they should be vigilant for any communications from state unemployment departments and agencies.
Geico said that it had secured the data breach immediately upon becoming aware of it, and had added “additional security enhancements” meant to curtail fraud. By way of compensation, the company offered customers a free one-year subscription to the IdentityForce identity theft protection service.
To those unfamiliar with the world of fraud, driver’s license numbers might seem like a relatively harmless piece of information to lose if it happens in isolation. Tim Sadler, CEO of email security firm Tessian, points out why this is not the case and why these numbers are very much sought after by cyber criminals: “ … It’s a gold mine for hackers. With a driver’s license number, bad actors can manufacture fake IDs, slotting in the number for any form that requires ID verification, or use the information to craft curated social engineering phishing attacks. In this case, Geico stated that bad actors may be using these driver’s license numbers to fraudulently apply for unemployment benefits in someone else’s name, a scam proving especially lucrative for hackers as unemployment numbers continue to soar. In fact, recent Tessian data found that suspicious unemployment-related emails grew 50% after the third round of stimulus checks was announced in late February. In other cases, a scam using these driver’s license numbers could look like an email that impersonates the DMV, requesting the person verify their driver’s license number, car registration or insurance information, and then inserting a malicious link or attachment into the email … This isn’t the first time that driver’s license numbers have leaked from an auto-insurance provider, indicating that license numbers are in high-demand.”
Fraudulent unemployment claims are the leading concern
Part of the recent interest in driver’s license numbers is due to changes brought on by the pandemic, as various types of financial transactions that used to exclusively be conducted in person are transferred online. Some states are also allowing residents to use expired driver’s licenses for various purposes for an extended period, due to difficulty in securing the in-person DMV appointments necessary to renew them.
Speaking to Bank Info Security magazine, Hold Security CTO Alex Holden said that his group was monitoring the situation and had not yet seen the license numbers appear on the dark web. It is possible that the thieves might be keeping them for internal use, however, while attempting to file fraudulent unemployment claims. It is not uncommon for this type of data to appear for sale on underground forums some months after the original hackers feel they have exhausted their personal use for it.
Fraudulent unemployment claims have spiked during the pandemic, as more money has become available to displaced workers and the requirements for filing have eased. Many states have paid out tens of millions to scammers at this point, a phenomenon largely driven by the use of stolen personal information. Hackers have been caught not just using sensitive personal data for these fraudulent unemployment claims, but also hacking into existing unemployment accounts to change bank payment information.
The Department of Labor estimates that pre-pandemic fraudulent unemployment claims accounted for about 10% of all filings. A more normal number is about $3 billion per year in fraud; recent reports that number ballooned to $200 billion during the pandemic. Fraudulent first-time claims drove quite a bit of this activity, but experts expect the problem to persist even as most Americans head back to work. Some will fail to notify the state unemployment office of their change in employment status, creating an opening for scammers.
Already struggling to keep up with an explosion of legitimate claims, some states have become overwhelmed by the added tide of fraudulent unemployment claims and have experienced security lapses as a result. A central issue is that this scheme is available to anyone in the world with an internet connection; the personal information used to file is usually collected from past data breaches that have appeared on the dark web. For example, a cyber crime ring based in Nigeria (Scattered Canary) is thought to be responsible for hundreds of millions in fraud perpetrated in multiple states. Foreign entities can defraud the US government with nothing more than a Gmail address and some sort of associate in the country able to pick up the payments; some create and register fake businesses, use stolen personal information to hire phony “employees,” then lay those employees off and file fraudulent unemployment claims under their names.
Thieves may not even need to engage in fraud to make money from a data breach of this sort. State DMVs are already making a side income by selling the personal information of registrants, something that enterprising hackers might cut in on by offering the same data at a lower price. Timothy Chiu, Vice President of Marketing, K2 Cyber Security, notes that this might serve as a lesson to organizations about evaluating exactly what stored information is considered “valuable” and might draw the special attention of attackers: “This most recent data breach of personal information leaked by Geico is a good reminder to organizations to check for some of the most common application security issues in their public facing web applications. In this case, it appears a misconfiguration contributed to the issue, and misconfiguration of a site is one of the most common issues causing a vulnerability. The other two most common problems leading to web application compromise are unpatched software and vulnerabilities in application code. The best way to defend against attacks against existing and undetected vulnerabilities is to keep your software up to date, and deploy RASP (Runtime Application Self-Protection) technology to actively monitor the application during runtime.”
James Herbert, Solution Engineering Manager for OneLogin, added the following advice to curtail data breaches: “Companies need to understand that access management is the fundamental control to help IT professionals achieve security, compliance and privacy requirements for their organization’s valuable data in the cloud. In order to protect against the vast quantities of stolen identity information readily available to threat actors, follow these practical tips: activate Multi-Factor Authentication (MFA) and apply contextual risk analysis to detect suspicious behavior to adequately verify a user before providing any sensitive information. Security and access by design remain the key to reducing today’s threat landscape.”