Lemonade says applicant driver’s license numbers exposed

Lemonade Inc. has begun sending notification letters to about 190,000 people after their driver’s license numbers were transmitted unencrypted, according to regulatory filings by the company. 

The company said a technical issue in its online application process for car insurance led to the exposure of data in an application programming interface call to a third-party data provider, according to an April 9 filing with the Securities and Exchange Commission. 

As part of the online application process, certain information is sent between a server and a user’s browser, according to the filing. This includes data used to generate an insurance quote.  

Lemonade said it learned of the issue on March 14 and said the exposures likely lasted from April 2023 through March 2024, according to a notice filed with the California Attorney General’s office. 

The technical issue allowed the data to be sent out without the normal means of protection used by Lemonade and the driver’s license numbers were left without encryption. The company said has since taken measures to resolve the vulnerability.

Lemonade said none of its operations were compromised and customer data was not targeted. The company said it does not consider the incident to be “material” to operations or financial results.   

The company said it will notify regulators based on its legal obligations. 

A spokesperson for the company was not immediately available. 

Lemonade offers various policies, including renters, homeowners, pets, auto and life insurance in the U.S. and parts of Europe. It has more than 2.4 million customers.