We are all familiar with the GEICO gecko offering deals on
auto and other insurance. If you have 15 minutes you can save a few hundred
dollars. GEICO is the second largest auto insurer in the US and has a broad
client base. With such a large company, there is ample data to target in the
different systems.
Unfortunately, there was an attack earlier this year, which
was successful. This targeted their client’s driver license numbers. The attack
was successful with the unauthorized parties having access from January
21-March 1, 2021, or approximately six weeks. GEICO did file a data breach
notice with the California attorney general. The affected clients were also
notified with a letter.
As much fun as it is for the customers, an examination into
the root cause is important. The attack point was the online system exhibiting
the vulnerability. Imagine how much data you could access in six weeks…
There are various uses for this seemingly basic information.
One noted with the GEICO client notification letter was the potential to use this
for false unemployment claims. There could be other uses as this is leveraged
with other data.
While the attack point was the portal, GEICO has not
published the exact vulnerability allowing this to occur.
In closing the vulnerability, GEICO has also implemented
other security measures. This was done also to mitigate any potential future
issues. GEICO also is providing a one-year subscription to Identity Force to
monitor for identity theft.
No comments:
Post a Comment