15.04.2025
2 min
558
A vulnerability on the Lemonade insurance website could have compromised the driver’s license numbers of thousands of customers over a 17-month period. The company only acknowledged the incident in March 2025, although the leak had been ongoing since April 2023.
Lemonade, an American company specializing in online auto, home, and pet insurance, announced a leak of personal data. The vulnerability in the online application form allowed for the automatic retrieval of driver’s license numbers through a third-party service, even without the user’s consent. The company said that “unauthorized access is possible,” but did not name the exact number of victims.
17,563 people were affected in Texas alone, another 1,950 in South Carolina, and data on other states is currently unknown. Victims are being offered temporary identity monitoring, although Lemonade assures that there is no evidence of abuse.
The Lemonade incident is a reminder of the risks of automated platforms that use third-party integrations without sufficient oversight. Despite claims of “fixing the situation,” losing customer trust can cost a company more than monitoring fees. Businesses should strengthen internal API checks, logging, and access controls to avoid a repeat of Geico or Lemonade.
