AssuranceAmerica data breach exposed nearly 7 million driver’s license numbers

U.S. car insurance provider AssuranceAmerica has confirmed a data breach that exposed the personal information and driver’s license numbers of nearly 7 million people. It is the largest known exposure of Americans’ driver’s license data so far this year, and it comes at a time when identity document breaches are becoming alarmingly common.

According to TechCrunch, the company discovered hackers inside its systems on March 17 and wrapped up its investigation on June 15. AssuranceAmerica then filed breach notices with multiple state attorneys general, listing the number of affected individuals at 6.99 million. Notification letters to affected customers are set to go out on July 10.

Founded in 1998, AssuranceAmerica sells car and rental insurance across more than a dozen U.S. states. Because it underwrites policies for drivers, it collects a significant amount of sensitive personal data, including state-issued driver’s license numbers. In the wrong hands, that information can be used to commit fraud and impersonate real people.

The company said the hackers “targeted one of the Company’s employees” and that it subsequently “disabled compromised credentials.” That phrasing points to a common attack pattern. Stolen employee login credentials are often obtained through password-stealing malware or via breaches of third-party software that employees use. AssuranceAmerica did not specify exactly how the credentials were taken.

The data stolen in the breach is extensive. Beyond driver’s license numbers and contact details, the hackers also took:

  • Auto insurance policy and account information
  • Details about customers’ drivers and vehicles
  • Information about customer claims

The company did not clarify what other types of personal information may have been included. TechCrunch sent questions to AssuranceAmerica CEO Joe Skruck and founder Guy Millner, including whether the company had any contact with the hackers or paid a ransom. Neither responded.

This breach does not exist in isolation. It follows a wave of incidents targeting identity documents in recent months. In June, the Texas state government confirmed that hackers stole information tied to at least 3 million driver’s licenses and passport numbers during an attack on the state’s parks and wildlife division. Separate incidents have also hit a hotel check-in system, a money transfer app, a prison payphone provider, and a U.K. visa service, together exposing millions of government-issued identity documents.

The timing matters. Governments around the world are pushing age-verification laws that require websites and apps to collect identity documents from users. That creates a growing pool of sensitive data sitting with companies that may not be equipped to protect it. Every new breach adds more raw material for fraud, and driver’s license numbers are particularly useful to bad actors because they are tied to a person’s legal identity in a way that is hard to undo.

For anyone who holds an AssuranceAmerica policy, the practical risks are real. A driver’s license number, combined with a name and contact details, gives a fraudster enough to open accounts, file false claims, or impersonate someone with government agencies. Affected individuals should monitor their credit reports, watch for unexpected account activity, and be cautious of any unsolicited contact that references their insurance or personal details.