Lemonade notifies 190,000 people after driver’s license data was sent unencrypted due to a tech flaw in its car insurance application process.
Lemonade Inc. has begun sending notification letters to about 190,000 people after their driver’s license numbers were transmitted unencrypted, according to regulatory filings.
According to an April 9 filing with the Securities and Exchange Commission, the company said a technical issue in its online car insurance application process exposed data in an application programming interface call to a third-party data provider.
According to the filing, certain information is sent between a server and a user’s browser as part of the online application process. This includes data used to generate an insurance quote.
Lemonade learned of the issue on March 14 and, according to a notice filed with the California Attorney General’s office, said the exposures likely lasted from April 2023 through March 2024.
The technical issue allowed the data to be sent out without the normal means of protection used by Lemonade and the driver’s license numbers were left without encryption. The company said has since taken measures to resolve the vulnerability.
Also Read: At Google Cloud Next, a Unified Push to Fortify Enterprise Cybersecurity
Lemonade said none of its operations were compromised and customer data was not targeted. The company said it does not consider the incident to be “material” to operations or financial results.
The company said it will notify regulators based on its legal obligations.
A spokesperson for the company was not immediately available.
Lemonade offers various policies, including renters, homeowners, pets, auto and life insurance in the U.S. and parts of Europe. It has more than 2.4 million customers.
