Lemonade, a New York-based insurtech company, has begun notifying approximately 190,000 individuals whose driver’s license numbers were potentially exposed due to a technical issue within its car insurance quote flow. The exposure is believed to have occurred over a 17-month period from April 2023 to September 2024.
According to an 8-K filing made by Lemonade on April 4, 2025, the company concluded that the problem stemmed from a flaw in how data was transmitted during the quote generation process. This flaw involved an application programming interface (API) call to a third-party data provider, which resulted in certain sensitive data being transmitted without the standard protective measures typically employed by the company.
“This issue caused certain data to be transmitted without Lemonade’s standard means of protection,” the company stated in its filing. Following the discovery of this vulnerability, Lemonade took immediate action to rectify the situation and has since sent letters to the affected individuals, informing them that their driver’s license numbers were likely exposed.
In these notifications, Lemonade reassured customers that there is no evidence suggesting that their driver’s license numbers have been misused. The company emphasized that this notice is a precautionary measure intended to inform potentially affected individuals and to provide guidance on steps they can take to protect themselves.
Among the impacted individuals, 17,563 are based in Texas, while another 1,950 are located in South Carolina. The California Attorney General’s office has also confirmed that residents of the Golden State are among those affected.
Despite the breach, Lemonade has stated that its operations were not compromised, and it confirmed that customer data was not specifically targeted. The company determined that the incident was not material, as outlined in its SEC filing.
This incident follows a series of data breaches within the insurance sector. In March 2025, another insurtech company, Root, faced penalties amounting to $975,000 after exposing the personal information of around 45,000 New York residents due to a security vulnerability. Additionally, in late 2024, Geico and Travelers Indemnity Company were fined $9.75 million and $1.55 million respectively for their failures to protect consumer data, which led to the exposure of information from 120,000 New Yorkers that was subsequently used in fraudulent unemployment claims during the Covid-19 pandemic.
At the time of publication, Lemonade had not responded to requests for further comment regarding the breach.
Meanwhile, Hertz has also reported a data breach affecting an unknown number of its customers due to vulnerabilities within a vendor's platform. On April 15, 2025, the rental car company confirmed that personal data had been acquired by an unauthorized third party, which exploited zero-day vulnerabilities in Cleo’s platform during late 2024.
Hertz learned of the data breach in early February 2025 and immediately began a forensic investigation to assess the scope of the incident. The company stated that it utilizes Cleo’s file transfer platform for limited purposes and has found no evidence that Hertz’s own network was compromised during this event.
The personal information potentially exposed in the breach includes names, contact information, dates of birth, credit card information, driver’s licenses, and information regarding workers’ compensation claims. A small subset of individuals may also have had their Social Security numbers, passport information, or Medicare and Medicaid IDs associated with workers’ compensation claims impacted.
Hertz has indicated that approximately 3,409 customers in Maine were affected, along with around 96,600 customers in Texas. The company has also alerted customers in Australia, Canada, the European Union, New Zealand, and the United Kingdom about the breach.
As a precautionary measure, Hertz is offering those impacted two years of identity monitoring or dark web monitoring services through Kroll. The company has advised potentially affected individuals to remain vigilant regarding their bank statements and credit reports.
In its efforts to address the breach, Hertz has notified law enforcement and confirmed that Cleo is investigating the event and working to rectify the identified vulnerabilities. However, as of the latest reports, Cleo had not responded to requests for comment.
These recent incidents highlight the ongoing challenges faced by companies in safeguarding sensitive customer data, particularly in the insurance and rental car sectors. As cyber threats continue to evolve, companies are under increasing pressure to enhance their security measures and protect the personal information of their customers.
With data breaches becoming increasingly common, consumers are urged to remain proactive in monitoring their personal information and to take necessary precautions to safeguard their identities.
As the landscape of data security continues to change, both Lemonade and Hertz are now navigating the aftermath of these breaches, focusing on improving their systems and restoring customer trust.
