Insurance firm Lemonade warns of breach of thousands of driving license numbers

A data breach at insurance firm Lemonade left the details of thousands of drivers' licenses exposed for 17 months.

According to the company, on March 14 2025 Lemonade learnt that a vulnerability in its online car insurance application process contained a vulnerability that was likely to have exposed "certain driver's license numbers for identifiable individuals."

Lemonade says that the unauthorised exposure started in approximately April 2024, and continued through September 2024.

The insurance company first disclosed details of the security breach in official filings to the Attorney Generals of Texas, South Carolina, and California last week, revealing that it would be contacting affected individuals via the mail.

Approximately 17,563 individuals in Texas and 1,950 individuals in South Carolina are said to be amongst those affected.

The affected online process also collects other information from car insurance applicants, including names, dates of birth, and residential addresses. As The Record notes, the driving license number is typically automatically populated in the application form by a third-party vendor.

In Lemonade's data breach notifications being sent to affected members of the public, it isn't clear whether any additional personal data beyond driver's license numbers was compromised. Regardless, the driving license information on its own could potentially be of use to criminals and fraudsters.

Lemonade says that it has resolved the vulnerability, but has not shared any details of how the breach occurred or how it became aware that it had a problem. It is possible that they were tipped off to the vulnerability by a third-party who stumbled across the problem.

Of course, news of the existence of the vulnerability does not necessarily mean that it was exploited by a malicious party. Lemonade is at pains in its notification letter to underline that it has no evidence to suggest that the exposed driver's license number details have been abused by criminals.

Nonetheless, it's better to be safe than sorry. Impacted individuals are being advised by Lemonade to follow the company's tips on how to protect themselves, including:

• Monitoring their credit reports and financial accounts for suspicious or unauthorised activity.
• Consider putting in place a fraud alert or freeze on their credit file.
• Reporting any suspicious activities or unauthorised transactions immediately to local law enforcement and financial institutions.

This isn’t the first time Lemonade has found itself in the headlines regarding how it handles customer data.

Back in May 2021, a "flaw" was discovered that allowed anyone to view other users’ account details just by using a search engine. Lemonade countered by claiming that the problem was not really a security vulnerability.

In the same year, Lemonade found itself facing allegations that it had made false statements about its collection of customers' biometric data and use of facial recognition and AI technology.

In response to the recent breach, Lemonade has taken steps to fix the vulnerability and is offering temporary identity protection services to affected customers. However, the company has not disclosed the total number of individuals impacted or detailed how the breach was discovered.