AssuranceAmerica data breach exposes driver's license numbers of nearly 7 million people
U.S. auto insurer AssuranceAmerica began notifying about 6.9 million people in July 2026 that a March intrusion, traced to a phishing attack on a single employee, exposed their driver's license numbers and other personal data.
- Victim
- AssuranceAmerica
- records
- 7.0M
- users
- 7.0M
On 10 July 2026, AssuranceAmerica โ an Atlanta-based non-standard auto insurer founded in 1998 that writes car and rental coverage across more than a dozen U.S. states โ began notifying roughly 6.9 million people that their personal information had been stolen in a data breach earlier in the year. In a filing shared by the Maine Attorney General's office, the company put the number of affected individuals at 6,998,886, making it the largest known exposure of Americans' driver's license numbers reported in 2026.
According to the notifications, the intrusion began with a phishing attack against a single employee on or about 16 March 2026. Using the stolen credentials, an attacker logged into AssuranceAmerica's IT environment; the company spotted the suspicious activity roughly a day later, on 17 March, and moved quickly to disable the compromised credentials, terminate the unauthorized sessions and isolate affected systems. A forensic review that concluded on 15 June 2026 determined which records had been accessed, and notification letters began going out on 10 July โ 115 days after the breach was first detected.
What was exposed
The stolen data reflects the mechanics of the auto-insurance business. Affected records include customers' names, contact information, auto insurance policy and claims records, and driver, vehicle and driver's license information, with driver's license numbers exposed for the full population of nearly seven million people. For a subset of individuals, the compromised data also included Social Security numbers and Tax ID information, sharply raising the identity-theft risk for those customers.
Why it matters
Driver's license numbers are durable identifiers that, unlike payment cards, cannot easily be reissued, which is why a spill of this size is significant even without a ransom demand or public data leak. The incident also illustrates how a single successful phishing email can cascade into a nation-scale exposure at an insurer that aggregates sensitive personal and policy data on millions of drivers. AssuranceAmerica said it terminated the unauthorized access, reset passwords, deployed enhanced monitoring and notified law enforcement, and is offering affected customers credit-monitoring services.
Timeline
A phishing attack targets a single AssuranceAmerica employee, compromising that employee's credentials.
AssuranceAmerica detects suspicious activity within about 24 hours, disables the stolen credentials, terminates unauthorized sessions and isolates affected systems.
The company concludes its forensic investigation, determining which individuals and data were affected.
AssuranceAmerica begins mailing breach notification letters, disclosing that 6,998,886 people were affected โ 115 days after detection.
Sources
- techcrunch.comhttps://techcrunch.com/2026/07/08/another-massive-data-breach-exposed-millions-of-drivers-license-numbers/
- scworld.comhttps://www.scworld.com/brief/assuranceamerica-confirms-data-breach-affecting-6-9-million-drivers-licenses
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/assuranceamerica-data-breach-exposes-records-of-69-million-drivers/
- cybernews.comhttps://cybernews.com/news/assuranceamerica-insurance-breach-7-million-drivers-license-records/
- compliancehub.wikihttps://compliancehub.wiki/assuranceamerica-breach-6-9-million-drivers-license-notification-2026/