So, I had this brilliant idea for a legitimate passive income opportunity: Start a company with an online presence and terrible information security. Buy personal information in bulk, store copies of it on our servers, then sit back as eeevil hackers steal it. Repeatedly. Each time it happens, offer the affected customers 12 months of free “cancel anytime” credit monitoring and identity theft protection. This new company is totally legit and sells NFTs or personalized coffee mugs or something, and its business model totally does not include selling “qualified leads” for free trial offers at credit monitoring and identity theft protection companies…
* * *
What? Sorry, wrong post. Actually, today we were going to talk about this letter my wife and I each got the other day from an insurance company I’ve barely heard of, offering 12 months of free credit monitoring and identity theft remediation services1. The letter states that an “unknown party” used the company’s online quoting platform and existing information to filch the recipient’s driver’s license number, and “may” have obtained the VIN and other details about vehicles you own. The letter goes out of its way to specify that the information used to access the additional information was “already in the unknown party’s possession”.
Especially now that driver’s licenses in the US are national IDs for things like air travel, handing out driver’s license numbers to criminals with easy access to multiple sources of stolen and just-plain-sold-on-the-open-market personal information to combine on millions of citizens is kind of a big deal. This information makes for an easy pivot from basic public information to full-blown identity theft, with US drivers licenses valuated at between about $20-$500 a pop on the criminal market (2022-2023), and easy to parlay from a mediocre fake to a really good one.
Needless to say, we both received an identical letter, and neither of us are MAPFRE customers, nor have we engaged with this company at all via requesting quotes or similar. So what gives?
As far as I can tell from public sources, here’s what happened.
In the US, the price you pay for auto insurance depends on a number of personal factors, including your age, gender, marital status, creditworthiness(!) (in most states), and of course, driving history. MAPFRE, a multinational insurance company, does a brisk business in the US state of Massachusetts (it acquired MA-based Commerce Insurance Group in 2007). At some point it added a “low-friction” online quoting tool to its website: Simply enter basic publicly-available information such as someone’s your name and street address, and it automatically pulled in a bunch of more-personal information from a data broker, including at a minimum your driver’s license number and details about the vehicles you own. The existence of such data brokers and the whole nonconsensual monetization thing – with the sheer volume of personal data they can sell with neither a dime to its owner nor a gnat’s fart from our regulatory bodies – are a rant for another day, but what’s taken this from sketchy business-as-usual to class-action lawyers collectively high-fiving each other is a small implementation detail, Auto-populate.
As I write this, at least two lawsuits have been filed seeking class-action status:
- Ma et al. v. MAPFRE U.S.A. Corp. et al. – Massachusetts District Court Case 1:23-cv-12059
- CONWAY, individually and on behalf of all similarly situated persons v. MAPFRE U.S.A. CORP et al. Massachusetts District Court Case 1:23-cv-12076
According to the CONWAY complaint, the online quote tool didn’t merely fetch the private data for transitory use server-side, but actually pushed it to the client, where it was displayed in auto-filled form fields in the web browser. Apparently, one or more crooks soon discovered that this quote tool was basically an unmetered pipeline to an unspecified data broker, which would ingest cheap “junkmail list” name & address databases at one end, and spit lucrative identity-theft data out the other. For one wild weekend of July 1-2 2023, the “unnamed party” used this auto-populate pipeline to make off with information from an estimated 266,142 random individuals2, regardless of whether they were MAPFRE customers or not. Particularly if the “lone actor” narrative of the insurer is to be believed, this rather strongly suggests that the data exfiltration was automated and that basic safeguards such as meaningful rate-limiting were not in place.
Eliding the more speculative and purple-prose bits of the complaints, CONWAY alleges that the insurer added “a feature to its existing online sales platform whereby an individual’s driver’s license number
would auto-populate for anyone that would enter a bare minimum of publicly available information
about that individual“, but “did not impose any security protocols to ensure that website visitors
entered and accessed PI only about themselves. MAPFRE did not impose effective security
protocols to prevent automated bots from accessing consumers’ PI.” It goes on to cite several resources indicating that cybercriminals targeting auto insurance companies specifically for drivers’ license information, including through similarly flawed online quote tools, is widespread and generally known in the industry. Likewise, Ma cites mainstream news sources to back up a claim that “[d]rivers’ license numbers have been taken from auto–insurance providers by hackers in other circumstances, including Geico, Noblr, American Family, USAA, and Midvale all in 2021, indicating both that this specific form of PI is in high demand and also that Defendants knew or had reason to know that their security practices were of particular importance to safeguard consumer data.“
Together, the filings paint the picture that auto insurance companies really should know better – which is to say, have specific knowledge that cybercriminals have been actively, and successfully, targeting auto insurance companies to collect driver’s license information specifically. In addition, both complaints cite the long delay between MAPFRE becoming aware of the breach and notifying customers: the breach occurred over July 1-2 2023. According to the complaints, two customer plaintiffs (Ma) and the non-customer plaintiff (Conway) received notifications between August 22-29. For myself and better half, also non-customers, the letter is dated October 19, 2023 and received sometime later.
A further wrinkle: The DPPA
The United States does not have a consumer privacy law. Instead, we have a bizarrely sparse patchwork of laws that narrowly target specific industries. So, there is one that covers sharing of medical information by the medical industry, separate ones covering children (but online), etc. One such oddly-specific privacy law is the federal Drivers Privacy Protection Act (DPPA), which, like many such laws, came about as a reaction to a specific pattern of abuse. And this one is written in blood. According to the Electronic Privacy Information Center, the law’s origins can be traced to a series of stalking cases enabled by easy access to personal records through state motor vehicle departments, who would typically hand this information out without restriction for a small fee. It was most likely catalyzed by the 1989 death of actress Rebecca Schaeffer, who was stalked and killed by an “obsessed fan” who, through a private investigator, obtained her address from her California motor vehicle record.
While the DPPA is aimed at state motor vehicle departments and their employees, it also covers resale or redisclosure by “authorized recipients”, which are likely to include car insurance companies and intermediate sources. Meanwhile, subsequent cases have established that DPPA plaintiffs are not required to prove actual damages to recover liquidated damages for a violation of the DPPA and could choose to accept actual or statutory damages. Whether it applies in this particular case, and whether a company successfully skirts it if the identical information was received from a source other than a state DMV, are questions for the courts to decide.
So, TL;DR: a personal data breach that will keep unemployment fraud artists and lawyers busy for a while can most likely be traced back to a simple case of not thinking it through, and the same kind of diffusion of responsibility that lets car thieves unlock a vehicle and drive it away by popping out a side mirror or headlight. I can just imagine a naive web app developer fresh out of school, with more clever than caution and a manager harping behind them for a conversions boost, patting themselves on the back over this sweet automation mere days before everything hit the fan. I guess my brilliant legitimate business plan is safe for another day.
- It is strangely telling that the letters were actually sent out by Experian (a huge data broker), not MAPFRE, and that the year of identity-theft protection offered is an Experian product. Whether it’s more telling to see data brokers double-dipping on both selling off (and leaking!) private information and separately selling services to clean up after the mess, or that this is a commonplace enough occurrence to have an integrated workflow for mass-mailing breach notices to a customer list pre-filled with unique identity-theft-protection-service activation codes, now that is beyond my pay grade. ↩︎
- https://www.mass.gov/doc/data-breach-report-2023/download p75 ↩︎
Leave a Reply