ACSC Data Breach Exposes Driver’s License Information via Third-Party Vendor
On March 9, 2026, the Automobile Club of Southern California (ACSC) disclosed a data breach stemming from a security incident at DanubeNet Inc. (DSS), a third-party vendor providing driver education services. The breach exposed personally identifiable information (PII), including names and driver’s permit or license numbers, though the exact method of intrusion was not specified.
ACSC’s contract with DSS required the vendor to maintain appropriate security measures. Following the discovery, ACSC collaborated with DSS to investigate the incident and implement corrective actions. DSS has since strengthened its security protocols to prevent future breaches.
The breach affected six Massachusetts residents, as reported by the Massachusetts Office of Consumer Affairs and Business Regulation, and was also disclosed to the California Attorney General.
In response, ACSC offered affected individuals a complimentary two-year membership for credit monitoring and identity protection services through Epiq, including credit monitoring with alerts, annual credit reports, dark web monitoring, $1 million in identity theft insurance, and identity restoration support. Enrollment instructions were provided in notification letters, with no impact on credit scores.
While ACSC advised vigilance in monitoring accounts and credit reports, the exposed driver’s license numbers heighten the risk of identity theft, underscoring the need for affected individuals to consider additional safeguards like fraud alerts and security freezes.
Source: https://www.claimdepot.com/data-breach/aaa-2026
AAA cybersecurity rating report: https://www.rankiteo.com/company/aaa
"id": "AAA1773190327",
"linkid": "aaa",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6 Massachusetts residents',
'industry': 'Automotive/Insurance',
'location': 'Southern California, USA',
'name': 'Automobile Club of Southern California (ACSC)',
'type': 'Organization'},
{'industry': 'Driver Education Services',
'name': 'DanubeNet Inc. (DSS)',
'type': 'Third-Party Vendor'}],
'customer_advisories': 'Affected individuals were advised to monitor accounts '
'and credit reports, and to consider fraud alerts or '
'security freezes.',
'data_breach': {'personally_identifiable_information': 'Names, driver’s '
'permit or license '
'numbers',
'sensitivity_of_data': 'High (driver’s permit or license '
'numbers, names)',
'type_of_data_compromised': 'Personally identifiable '
'information (PII)'},
'date_publicly_disclosed': '2026-03-09',
'description': 'On March 9, 2026, the Automobile Club of Southern California '
'(ACSC) disclosed a data breach stemming from a security '
'incident at DanubeNet Inc. (DSS), a third-party vendor '
'providing driver education services. The breach exposed '
'personally identifiable information (PII), including names '
'and driver’s permit or license numbers. ACSC collaborated '
'with DSS to investigate the incident and implement corrective '
'actions. DSS has since strengthened its security protocols to '
'prevent future breaches.',
'impact': {'data_compromised': 'Personally identifiable information (PII), '
'including names and driver’s permit or '
'license numbers',
'identity_theft_risk': 'Heightened risk due to exposed driver’s '
'license numbers'},
'investigation_status': 'Ongoing (collaboration between ACSC and DSS)',
'lessons_learned': 'Third-party vendors must maintain robust security '
'measures to prevent data breaches; affected individuals '
'should monitor accounts and consider fraud alerts or '
'security freezes.',
'post_incident_analysis': {'corrective_actions': 'DSS strengthened security '
'protocols; ACSC offered '
'credit monitoring and '
'identity protection '
'services to affected '
'individuals.',
'root_causes': 'Security incident at third-party '
'vendor (DSS)'},
'recommendations': 'Affected individuals should enroll in credit monitoring '
'and identity protection services, monitor accounts, and '
'consider additional safeguards like fraud alerts or '
'security freezes.',
'references': [{'source': 'Massachusetts Office of Consumer Affairs and '
'Business Regulation'},
{'source': 'California Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['Massachusetts Office '
'of Consumer Affairs '
'and Business '
'Regulation',
'California Attorney '
'General']},
'response': {'communication_strategy': 'Notification letters sent to affected '
'individuals with enrollment '
'instructions for credit monitoring '
'services',
'remediation_measures': 'DSS strengthened its security protocols',
'third_party_assistance': 'Epiq (credit monitoring and identity '
'protection services)'},
'title': 'ACSC Data Breach Exposes Driver’s License Information via '
'Third-Party Vendor',
'type': 'Data Breach'}