A recent data breach at the insurance firm Lemonade exposed the driver’s license numbers of thousands of people over the course of 17 months.

The New York-based company began sending breach notification letters in multiple states last week following the discovery of an incident in 2023 and 2024 involving its online application process. Users typically enter their name and address into the Lemonade insurance policy application and a third-party vendor automatically populates a person’s driver’s license number. 

A vulnerability within the online application platform for insurance policies resulted in the likely exposure of driver’s license numbers, which “may have been accessed without authorization,” the company said.

An investigation revealed the information was exposed from April 2023 to September 2024. The company says it discovered the issue in March 2025.

Lemonade said it has taken steps to fix the vulnerability but did not respond to requests for comment about how it did so, how many people were affected or how it was initially tipped off to the problem. 

Victims are being given temporary identity protection services. At least 17,563 people in Texas were impacted by the breach along with 1,950 people in South Carolina. It is unclear how many other states’ residents were affected.

Lemonade offers insurance to car owners, renters, homeowners, as well as pet and term life insurance in the U.S. The company is best known for controversially using AI and chatbots to process its claims. 

While Lemonade reiterated in the letters that they have “no evidence to suggest” that driver’s licence numbers were misused, hackers have previously targeted similar platforms and used stolen numbers for a variety of scams. 

In November, New York state officials fined insurance giants Geico and Travelers more than $11 million for a similar issue that exposed the driver’s license numbers of about 120,000 New Yorkers.

The companies operated similar websites offering insurance quotes to potential customers that automatically fill in applications after people enter their names or address. Hackers targeted Geico’s applications using the pre-fill function to access the driver’s license numbers of tens of thousands of New Yorkers. The company said it discovered a spike in the number of applications that were being pre-filled but not completed.

Cybercriminals then used the stolen driver’s license numbers to file fraudulent unemployment benefits claims in New York state, pilfering thousands of dollars at the height of the COVID-19 pandemic.

The company found cybercriminals discussing breaching Geico’s system and stealing driver’s license numbers on the dark web, and in some instances hackers were purchasing policies and filing fraudulent claims to gain access to customers' driver's licence numbers.