Lemonade Inc. Reaches $10.5 Million Settlement Over Data Exposure Affecting 190,000 Individuals
A proposed class of nearly 190,000 individuals has filed for preliminary approval of a $10.5 million settlement with insurtech company Lemonade Inc. in the Southern District of New York. The case centers on allegations that Lemonade’s online quote platform exposed drivers’ license numbers to cybercriminals due to a flawed auto-populate feature.
According to court filings, the platform disclosed driver’s license numbers when users entered basic personal details, such as name and address. Plaintiffs claim threat actors exploited this functionality over a 17-month period, using the stolen data to commit fraud and identity theft. The lawsuit alleges violations of New York General Business Law and the Federal Drivers’ Privacy Protection Act.
If approved, the settlement would include:
- A $10.5 million fund for affected individuals.
- A $55 payout per class member before deductions for fees and expenses.
- Three years of identity protection services, valued at nearly $720 per person, potentially increasing the settlement’s total value.
Lemonade has also agreed to implement a three-year data security enhancement program at its own expense. The case highlights risks associated with online prefill forms and the potential for exploitation by threat actors.
Source: https://www.jdsupra.com/legalnews/sometimes-the-juice-is-worth-the-squeeze-7714653/
Lemonade cybersecurity rating report: https://www.rankiteo.com/company/lemonade-inc-
"id": "LEM1777912871",
"linkid": "lemonade-inc-",
"type": "Breach",
"date": "12/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '190,000 individuals',
'industry': 'Insurance',
'location': 'United States',
'name': 'Lemonade Inc.',
'type': 'Insurtech company'}],
'attack_vector': 'Exploited flawed auto-populate feature',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '190,000',
'personally_identifiable_information': 'Drivers’ license '
'numbers',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': 'Drivers’ license numbers'},
'description': 'A proposed class of nearly 190,000 individuals has filed for '
'preliminary approval of a $10.5 million settlement with '
'insurtech company Lemonade Inc. over allegations that '
'Lemonade’s online quote platform exposed drivers’ license '
'numbers to cybercriminals due to a flawed auto-populate '
'feature. The platform disclosed driver’s license numbers when '
'users entered basic personal details, such as name and '
'address. Threat actors exploited this functionality over a '
'17-month period, using the stolen data to commit fraud and '
'identity theft.',
'impact': {'data_compromised': 'Drivers’ license numbers',
'financial_loss': '$10.5 million settlement fund',
'identity_theft_risk': 'High',
'legal_liabilities': 'Violations of New York General Business Law '
'and Federal Drivers’ Privacy Protection Act',
'systems_affected': 'Online quote platform'},
'lessons_learned': 'Risks associated with online prefill forms and potential '
'for exploitation by threat actors',
'motivation': 'Fraud and identity theft',
'post_incident_analysis': {'corrective_actions': 'Three-year data security '
'enhancement program',
'root_causes': 'Flawed auto-populate feature in '
'online quote platform'},
'references': [{'source': 'Court filings'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit',
'regulations_violated': ['New York General Business '
'Law',
'Federal Drivers’ Privacy '
'Protection Act']},
'response': {'remediation_measures': 'Implementation of a three-year data '
'security enhancement program'},
'threat_actor': 'Cybercriminals',
'title': 'Lemonade Inc. Data Exposure Settlement',
'type': 'Data Exposure',
'vulnerability_exploited': 'Flawed auto-populate feature in online quote '
'platform'}