🚨 Breaking: Car Insurance Exposes 190,000 Driver’s License Numbers

What happened?
Lemonade Inc., the app-based insurance provider, disclosed that a system vulnerability in its online quote tool led to the exposure of approximately 190,000 individuals' driver’s license numbers. The issue persisted undetected from April 2023 to September 2024 and was only discovered in March 2025.

How did it happen?
The breach was caused by an API misconfiguration. When users entered name and address details to request a car insurance quote, Lemonade’s system autofilled and transmitted driver’s license numbers—unencrypted—via a third-party service. This meant unauthorized parties could access and view license data without authentication, even if the quote process wasn’t completed.

Who was affected?
Roughly 190,000 individuals were impacted, including many who never finalized or even completed a quote. Some had their license numbers exposed simply because the system matched their personal information.

Company response:

  • The vulnerability was patched immediately upon discovery.

  • Encryption protocols and new data-handling safeguards were implemented.

  • Affected individuals were notified in April 2025.

  • One year of credit monitoring and identity theft protection was offered.

Legal consequences:
A class-action lawsuit has been filed in federal court, alleging violations of the Driver’s Privacy Protection Act and related data security laws. Plaintiffs report serious consequences, including identity theft and fraudulent loans resulting from the exposure.

Why it matters:
Driver’s license numbers are high-value identity credentials. Criminals can use them to open bank accounts, apply for loans, or create fake identities. This breach demonstrates how quickly personal data can be exploited—and how long a vulnerability can go unnoticed.


What You Can Do Now

If you were notified, take the following steps:

  • Activate the credit monitoring services offered.

  • Review your credit reports and account statements carefully.

  • Place a fraud alert or credit freeze to help prevent unauthorized activity.

  • Save documentation of any suspicious activity in case you need to file a claim or join litigation.


How Patriot Protect Can Help

Incidents like this are becoming more frequent—and more costly. By the time a company notifies you, your data may have already been sold, reused, or weaponized. Patriot Protect offers proactive monitoring, real-time alerts, and dark web sweeps that detect exposed personal data before it’s used against you.

If your information is already floating around, we help get it removed.

Don’t wait for the next breach. Lock down your personal information today.

Back to blog