A breach of data at the insurance company Lemonade led to the exposure of the information of thousands of drivers’ licenses for a period of 17 months.
As per the firm, Lemonade discovered on March 14, 2025, that a security flaw in its online car insurance application process had potentially exposed “specific driver’s license numbers belonging to identifiable individuals.”
Lemonade stated that the unauthorized exposure began around April 2024 and lasted until September 2024.
Official filings to the Attorney Generals of Texas, South Carolina, and California made by the insurance company last week disclosed details of the security breach, indicating that affected individuals would be contacted via mail.
It is reported that around 17,563 people in Texas and 1,950 in South Carolina are among those impacted.
The affected online procedure also gathers additional information from applicants for car insurance, including names, birthdates, and residential locations. According to The Record, the auto-population of the driving license number in the application form is typically done by a third-party vendor.
While communicating about the data breach to affected members of the public, Lemonade has not clarified if any other personal data beyond driver’s license numbers was compromised. Nevertheless, the driver’s license details alone could potentially be useful to offenders and scammers.
Lemonade has addressed the vulnerability but has not disclosed any details of how the breach happened or how they became aware of the issue. It is a possibility that they were alerted to the vulnerability by an external party who stumbled upon it.
Mentioning the discovery of the vulnerability does not automatically mean that it was exploited by malicious entities. Lemonade emphasizes in its notification that there is no proof to suggest that the exposed driver’s license details have been exploited by criminals.
Nevertheless, it’s prudent to take precautions. Lemonade is advising affected individuals to follow the company’s recommendations on safeguarding themselves, which include:
- Regularly monitoring their credit accounts and financial reports for suspicious or unauthorized activities.
- Contemplating the placement of a fraud alert or freeze on their credit report.
- Promptly reporting any dubious activities or unauthorized transactions to local law enforcement and financial institutions.
This is not the initial occasion Lemonade has been in the news concerning its management of customer data.
In May 2021, a “weakness” was identified that allowed anyone to access the account information of other users by using a search engine. Lemonade argued that the issue was not actually a security flaw.
In the same year, Lemonade was accused of making false statements about the collection of customers’ biometric data and the utilization of facial recognition and AI technology, leading to a class-action lawsuit.
In response to the recent breach, Lemonade has taken actions to rectify the vulnerability and is providing temporary identity protection services to affected clients. However, the company has not revealed the total count of affected individuals or provided details on how the breach was identified.
About Author
