Insurtech Lemonade has reported to the Securities and Exchange Commission (SEC) that the cause of a breach of 190,000 driver’s license numbers has been resolved.

An April 4 report to the SEC states that Lemonade concluded a technical issue in its car insurance quote flow was to blame for data exposure when received by an application programming interface call to a third-party data provider.

“As part of the quote flow, information is sent to and from a server to a user’s browser, and includes data required to generate a quote,” the statement says. “This issue caused certain data to be transmitted without Lemonade’s standard means of protection. As a result, Lemonade will be notifying approximately 190,000 individuals whose driver’s license numbers were sent in unencrypted form. Once discovered, the company took appropriate measures to resolve the vulnerability.

“Based on the company’s current knowledge of the facts and circumstances related to the incident, the company’s operations were not compromised, nor was Lemonade customer data targeted, and the company has determined that the incident is not material. The company will be notifying regulators of this Incident, consistent with its legal obligations.”

Questions about the incident sent to Lemonade by Repairer Driven News weren’t replied to by the publication deadline.

Security Week reports that notification letters were sent to regulators in several states informing them of the incident, which occurred between April 2023 and September 2024.

“We have no evidence to suggest that your driver’s license number has been misused but we are providing this notice as a precaution to inform potentially affected individuals and share some steps you can take to help protect yourself,” Security Week reports the company’s notification letter states.

The article also states that Lemonade will provide impacted individuals with one year of free credit monitoring and identity protection services.

In March, Lemonade announced it had surpassed $1 billion of In Force Premium (IFP).

“This marks a significant milestone for the company, coming just 8.5 years after selling its first policy, and reflecting a ~150% compound annual growth rate,” a press release states.

“This rapid growth was enabled by Lemonade’s investment in technology, broad product portfolio, deep geographic reach, and a persistent focus on building the best customer experience.

Lemonade Car also expanded its insurance offerings to Colorado, bringing availability to 40% of the U.S. car insurance market, according to the release.

In 2022, Lemonade agreed to pay $4 million to settle a class action lawsuit that claims it unlawfully collected and stored the biometric information of its customers through its software.

The New York-based company also agreed to delete all biometric identifiers it had collected, including retina scans, fingerprints, voiceprints, and scans of faces or hands. It said it stopped collecting such information in May 2021, after the suit was filed.

At next week’s Collision Industry Conference (CIC) meeting, the Data Access, Privacy & Security Committee will discuss the topic of data vulnerability at 1:20 p.m. on April 30 during a session titled “From Threat to Safety: Navigating Data Vulnerability and Mitigation Practices.”

According to the meeting agenda, the committee will “explore the nature of cyber attacks, their effects, and the strategies employed to detect, prevent, and respond to them.”

It adds, “In today’s environment, everyone is at risk, from the individual shop owner to the largest MSO. Don’t let your business, or even your personal life, be disrupted by a cyber attack.”

Images

Featured image credit: Just_Super/iStock