By Chris Munro

April 15 - (The Insurer) - Lemonade is sending notices to around 190,000 individuals whose driver’s license numbers were exposed over what is believed to have been a 17-month period spanning April 2023 through to September 2024.

In an 8-K filing issued on April 4, New York-based insurtech Lemonade said it had “recently concluded” that a technical issue within its car insurance quote flow “likely led” to the exposure of certain data received by an application programming interface call to a third-party data provider.

As Lemonade explained in the 8-K filing, as part of that quote flow, data is sent to and from a server to a user’s browser. That flow includes information that Lemonade needs to generate a quote.

“This issue caused certain data to be transmitted without Lemonade’s standard means of protection,” the insurtech said.

“As a result, Lemonade will be notifying approximately 190,000 individuals whose driver’s license numbers were sent in unencrypted form,” the company noted.

“Once discovered, the company took appropriate measures to resolve the vulnerability.”

Lemonade has sent letters to those it believes are impacted, informing customers that their driver’s license number “was likely exposed”.

“We have no evidence to suggest that your driver’s license number has been misused but we are providing this notice as a precaution to inform potentially affected individuals and share some steps you can take to help protect yourself,” the insurtech states in the letter.

It is unclear precisely the breakdown of where the affected customers are based, but according to the Attorney General of Texas’ website, 17,563 are based in the Lone Star State.

A further 1,950 are sited in South Carolina, according to that state’s attorney general website. The California Attorney General has also confirmed affected customers are based in the Golden State.

According to its SEC filing, based on its current knowledge of the facts and circumstances related to the incident, Lemonade’s operations were not compromised.

Lemonade also said customer data was not targeted.

“The company has determined that the incident is not material,” it declared in the 8-K.

In March, it was announced that insurtech Root would pay $975,000 in penalties to the state of New York after a data breach exposed the personal information of approximately 45,000 Empire State residents.

Root discovered the vulnerability in January 2021, when bad actors exploited a prefill flaw to access sensitive data, according to New York Attorney General Letitia James.

And in late 2024, it was announced that Geico and Travelers Indemnity Company had been fined $9.75 million and $1.55 million, respectively, over what James said were failures to protect consumers’ personal information.

Those failures led to the exposure of 120,000 New Yorkers’ personal information that hackers used to file fraudulent unemployment claims during the Covid-19 pandemic.

At the time of publication, Lemonade had not responded to a request for comment.