US insurance provider AssuranceAmerica has confirmed a significant data breach, compromising the personal information and driver's licence numbers of approximately 6.99 million individuals. The incident, which came to light following an internal investigation, represents the largest known exposure of American driver's licence data so far in 2026, underscoring the escalating threat of cyberattacks.
AssuranceAmerica, a prominent car and rental insurance provider operating across multiple US states, discovered unauthorised access to its computer systems on 17 March. The company's subsequent investigation, concluded on 15 June, revealed that hackers had successfully exfiltrated customers' names, contact details, driver's licence numbers, and information pertaining to their auto insurance policies, accounts, drivers, vehicles, and claims. While the specific cause of the breach was not fully disclosed, the company indicated that attackers 'targeted one of the Company’s employees' and that 'compromised credentials' were subsequently disabled.
The theft of driver's licence numbers poses a considerable risk, as this sensitive information can be exploited for identity theft, financial fraud, and impersonation. Experts warn that such data, when combined with other personal details, creates a potent toolkit for malicious actors. Although AssuranceAmerica has begun sending notification letters to affected individuals, the full extent of the impact and potential misuse of the stolen data remains a serious concern.
This incident is not isolated, forming part of a worrying trend of data breaches specifically targeting government-issued identity documents. Recent months have seen similar attacks, including a June incident where the Texas state government reported hackers stealing information related to at least 3 million driver's licences and passport numbers. Furthermore, various security lapses have previously exposed millions of identity documents through diverse platforms, from hotel check-in systems to UK visa services.
The increasing demand for digital identity verification, driven by a global push for age-verification laws and online authentication, inadvertently creates more centralised repositories of sensitive data, making them attractive targets for cybercriminals. As businesses and online platforms increasingly request identity documents to verify user age or identity, the potential for widespread data compromise grows, necessitating robust security measures and international cooperation to safeguard personal information.