Expert Commentary on the Geico Data Breach Disclosure
Insurance company Geico recently filed a data breach notice with the attorney general of California. According to the disclosure, the breach occurred between January 21, 2021 and March 1, 2021 and exposed customers’ driver license numbers.
However, Geico did not disclose how many customers might have been affected nor whether the breach was limited to California. Driver license numbers can be used to file fraudulent unemployment claims.
The Geico Data Breach notice reads in part “We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website.”
We consulted with cybersecurity experts to learn more.
Expert Commentary on the Geico Data Breach Disclosure
Rajiv Pimplaskar
Rajiv Pimplaskar is Vice President of Veridium.
“The customer data theft from Geico is a stark reminder of security bugs and vulnerabilities with typical websites. According to Verizon’s Data Breach Investigations Report, approximately 81% of data breaches occur due to poor passwords or compromised credentials. Traditional Two-factor Authentication (2FA) is also vulnerable to “man-in-the-middle” or MITM attacks. Companies can and should embrace passwordless methods like “phone as a token” or FIDO2 to improve security and reduce dependence on passwords. Also, an added benefit is that such technologies are easier to use which improves the overall user experience.”
Brent Johnson
Brent Johnson is CISO at Bluefin.
“Companies need to understand the difference between “data breach” and “data theft” which are often used interchangeably in the news. A breach occurs any time a hacker gains unauthorized access to data, whether they steal it or not. Data theft involves a hacker extracting data from an enterprise’s systems, like what’s happened here with Geico. Tactics like two-factor authentication to strengthen password protection and training employees to spot phishing emails are common cybersecurity efforts that aim to prevent data breaches and data theft. However, these efforts only strengthen the digital “walls” protecting sensitive data. Enterprises need to operate under the assumption that every wall has its gaps. Eventually, a hacker will break through and unless you’ve made your data useless to hackers, a compromise is likely to occur.”
Jon Clemenson
Jon Clemenson is Director, Information Security at TokenEx.
“If a business is collecting sensitive data from its customers, as in Geico’s case a driver’s license with names and birthdates etc., they are obligated to protect it. Any intrusion into Geico’s systems will put its customers at risk. We recommend businesses implement a proactive and data-centric security approach to guard against exfiltration events like this for their customers. Maintaining a sound security posture includes integrating tools throughout the technology stack – businesses must consider solutions like tokenization, which anonymize sensitive data to reduce risk and simplify compliance. While Geico works to determine exactly what led to this breach, we look at this news as a reminder to all businesses that it’s simply not enough to protect credit card or transaction data. To safeguard your customers from identity theft or fraud, you must protect all sensitive data that you have collected.”
Saryu Nayyar
Saryu Nayyar (she/her) is CEO of Gurucul.
“This is infuriating. Geico is essentially skirting blame for this breach, and worse – making the victims take responsibility for protecting their driver’s license number from being used to fraudulently apply for unemployment benefits. In the notice of breach letter, Geico states, “fraudsters used information about you – which they acquired elsewhere…” What information exactly and from where? Geico either doesn’t know or won’t say. In response, they are offering 1 year of free identity-theft protection, but that doesn’t address the unemployment benefits fraud that they admit is the imminent threat. Geico customers must monitor state unemployment communications and contact the agency if they experience a problem. Do you know how hard it is to contact any US state unemployment agency during a pandemic? It’s a nightmare and overwhelmingly time-consuming. There are better ways to protect customers from fraud. Security analytics can detect and stop fraudsters before they drive off with your PII.”
Thanks to these experts for their time and expertise. Learn more in the SIEM Buyer’s Guide.
Ben Canner
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.