Hey, there! Log in / Register

Hackers were able to gain people's license ID numbers via car insurer's online get-a-quote system

Mapfre Insurance is notifying customers that somebody was able to get into its "online quoting platform" for Massachusetts residents last month and retrieve information about Massachusetts residents and their cars.

According to a copy of the letter, now part of the state Office of Consumer Affairs and Business Regulation's compilation of data breaches in August, the as yet unknown hackers were able to suck out Massachusetts drivers-license numbers and, in some cases, information about drivers' cars, including the VINs, for two days last month. The company did not say how many people might have had their information stolen.

In the letter, Mapfre writes:

What Happened
Between July 1 and July 2, 2023, an unknown party used information about you – which was already in the unknown party’s possession – to obtain access to additional information about you through MAPFRE’s Massachusetts online quoting platform in Massachusetts.

What Information Was Involved
We have determined that the unknown party obtained access to your driver’s license number through MAPFRE’s Massachusetts online quoting platform. The unknown party may also have obtained access to information regarding vehicles you own, including make, model, year, and vehicle identification number.

Mapfre says it disabled its online quote system and alerted the authorities as soon as it discovered the data theft. It's offering letter recipients 12 months of free access to Experian's identity monitoring service.

Neighborhoods: 
Free tagging: 
AttachmentSize
PDF icon Complete letter540.9 KB


Ad:


Like the job UHub is doing? Consider a contribution. Thanks!

Comments

All these days breaches are so great, I'll never need to pay for identity monitoring services again! I'll have 3 free ones at any time from a constant stream of leaks. Keep it up!

/s

up
Voting closed 0

The first, from a community college in Michigan where I took 3 or 4 classes. In 1984-1986. Astounding that they still had my info stored.

They offered free enrollment in a monitoring service for 2 years, the more recent vendor was offering the same monitoring service.

up
Voting closed 0

Yeah its great until you have your identity stolen. Had a friend who's SSN was taken, and that person took over all their bank accounts and credit cards. Took months for it to sort out and even now still has issues with some systems because they still have not received notice that his SSN was changed (apparently this is very hard to do).

It's also not so great because its happening more and more. This costs companies (and you, as a passed on cost) a ton of money to investigate. It's no longer as simple as "just reload the server from a backup", now lawyers and infosec people get involved.

The Lawyers are the ones who are winning here. They get to bill so many hours now doing this stuff, as their biggest concern is dealing with a company's insurance carrier. Cuz God for bid that your identity is stolen, and you might track it back to a specific leak and sue. Which is nearly impossible to do since this happens so much lately, but the breath of a lawsuit will make Lawyers perk up like a dog when you open a can of dog food.

I can't say too much but I deal with these issues almost daily now. Had two customers last week inform us of breaches, and another one yesterday. All I do now is assist and look into findings (as to why it happened)

The good news is that this continues, I'll be employed forever (with my InfoSec training).

up
Voting closed 0

stolen SSN: e-filing a tax return in your name for a big refund that gets sent to the thief. If you learn about your SSN being stolen, contact the IRS stat to put a fraud alert on your account. This happened at a company I worked for, and I shared this tip with my coworkers. One didn't follow my advice, and got hit.

up
Voting closed 0

The DB must have fallen out of their pocket.

up
Voting closed 0

Fixed, thanks.

up
Voting closed 0

Henry V says "unto" the breach

up
Voting closed 0

The financial industry’s big mistake was to ever treat SSNs, driver’s license numbers, etc. as secrets. They’re mostly over it now, but for a long time they believed that you knowing my social security number was evidence that you were me.

If everyone involved from the beginning had been clear that these numbers and other identifying information were not in principle or in practice secret, and should play no role in authentication, we would have designed all sorts of systems and procedures very differently, to the extent that data breaches would be much less of a big deal, because merely possessing information about me wouldn’t be much help in impersonating me.

up
Voting closed 0

its not that these are being used as ID. Its that these are being stored somewhere period.

I can't say many details but a recent client of mine had their entire Microsoft SQL Database files sucked off their database server. This included names, addresses, SSNs, and everything in between.

Now that data lives on the dark web and is being sold for large amounts of money. If you knew whose information belonged to what people, you'd be saddened that this has happened, as.. I can just say this... these people cannot help themselves most of the time nor have the capacity to even know their identity was stolen. (thats the real crime here, really..)

If there was a good reason to have a Nationalized ID, identity theft would greatly reduced, as its easy to change that number (like you can on your driver's license). SSN.. that's a whole different headache to change that.

up
Voting closed 0

I, too, have some information security experience.

My point is that my name and address are not secret. Neither is my birthday. There should be nothing that a fraudster can do with that information that could hurt me in any way. Knowing my name and address and birthday should never be enough to open a bank account in my name, nor to take out credit in my name, nor to file a fraudulent tax return with a big refund, in my name, nor to convince my bank that you're me.

The same ought to be true for social security numbers and drivers license numbers. If we had made it clear from the beginning that those pieces of information were not secret, and that nobody should rely on them for authentication, then having databases full of them be stolen would not be a problem. Heck, publish it all in the phone book for all anyone would care.

up
Voting closed 0

The social security card that I got way back in the 1970s had that printed on it. Is this no longer the case?

up
Voting closed 0

“Not for identification” refers to the physical card, meaning that presenting the card shouldn’t be taken as evidence that the bearer is the person named on the card.

As kind of a geeky tangent: people, even bank and many infosec people, are really sloppy in their use of the terms “identify” and “identification”.

My tattered business card that someone picked up from the sidewalk is perfectly good identification: it has my name, address, email and phone. It uniquely identifies me, since nobody else has those same attributes. It identifies me. What it doesn’t do is say anything at all about who the person holding the card is. Of course, pointing at me and saying “that guy there in the blue shirt” identifies me too (see: deictic reference)

What people often mean by “identify” or “present identification” is actually “authenticate your claim of identity,” I.e. present evidence that you are the person you claim to be. That’s where tamper resistant documents with photos or other biometrics, like drivers licenses or passports, come in.

up
Voting closed 0