Consumer Alert: Are auto insurers exposing your private information? We have answers.

ROCHESTER, N.Y. (WHEC) — This consumer alert involves public access to your private information. Cyberthieves may already have your driver’s license number. With that number, they can file for unemployment benefits in your name, weaving a web of fraud that has entangled likely hundreds of thousands of innocent New Yorkers.

For weeks, I’ve been investigating one of the ways those thieves are getting those driver’s license numbers; they used auto insurers’ websites. Those sites are designed to make it easy for you to buy insurance. The problem is it was far too easy for cyber-thieves as well.

In fact, it was easy as 1,2,3. One: Get someone’s name and address. Two: Use that info to buy auto insurance online. Three: Get their driver’s license number.

It happened to many New Yorkers I’ve interviewed over the course of a five-part investigation.

The first viewer who contacted me about the issue was James Wesley. He told me, "I don’t have anything with Liberty Mutual nor have I asked Liberty Mutual for a policy quote." But Wesley got a Liberty Mutual bill for an auto policy he didn’t buy.

"There’s a very easy solution to correct this,” said Ken Mollins, an attorney representing a Liberty Mutual identity theft victim. “Liberty, don’t give out someone’s private information. Insist that people have their driver’s license number when they apply."

So of course I wanted to know if insurers fixed the problem. The best way to tell was to try to buy auto insurance using insurers’ online sales sites. On Liberty Mutual’s website, I used my own name and address. But I purposely used the wrong birthday, email and phone number. I wanted to test whether the website would autofill my information with only my name and address, information publicly available.

And Voila! The system auto-filled the year, make and model of my vehicles, the drivers in my household and their ages, as well as insurance my current auto insurance and the coverage amount.

In the final step, it asked for my Social Security and driver’s license numbers. But it did not autofill that information, and in an online chat with an agent, I was told I couldn’t buy the policy without my driver’s license and social security numbers, which is good.

So then I tested Progressive. And again, the site auto-filled my vehicles, and drivers in my household, but it would not let me buy a policy without first typing in my driver’s license number.

So then I tried GEICO. I used my name and address, but used a fake birthday, phone number and email. So with just my name and address, the site’s autofill software filled in the information about my vehicles, the drivers in my household and surprisingly, my Vehicle Identification Number. When I got to the page to type in my driver’s license number, GEICO’s autofill software filled in the blanks using my old Texas driver’s license number. While it only displayed part of the number, when I clicked next to confirm the number was mine, shockingly, it allowed me to go to the page in which I could purchase a policy. If I were a thief, that purchase, likely with a stolen credit card, would have given me access to the drivers’ license number.

And GEICO admits as much in this letter to victims. It reads, fraudsters got "unauthorized access to your driver’s license number through the online sales system on our website.” The letter says GEICO fixed the problem, and the letter is dated April 9. So why did GEICO’s online sales system autofill all my information on April 15, six days after the dated letter claimed the problem had been fixed?

I reached out to GEICO, and a spokesman told me "our cybersecurity team constantly remains vigilant and worked with our application development teams to implement updates to our system to prevent personal information like drivers’ license numbers from falling into the wrong hands."

I repeatedly told the spokesman that the site’s autofill software had filled in my private information allowing me to buy a policy without proof of identity, and this occurred after the company claimed to have fixed the problem. Exactly when did GEICO’s application development teams update the system?

The GEICO spokesman did not directly answer that question writing, “We have successfully implemented the appropriate fixes to our system to prevent driver’s license numbers from being fraudulently obtained. Additionally, we alerted the Department of Financial Services upon detecting this fraudulent activity had occurred.”

I immediately reported the issue to the Department of Financial Services, and when I checked the site two days later, it did not autofill my driver’s license number.

I asked the Department of Financial Services what it is doing to address the problem, and it said it could not comment on an ongoing investigation.

If you get a bill for auto insurance you did not buy, you need to take the following steps:

• Call the fraud departments of each insurer.
• Progressive – 877-238-5194 (option 2).
• GEICO – 1-800-824-5404 ext. 3313.
• Liberty Mutual 1-617-357-9500.
• Call the DMV’s Insurance Services Bureau at 1-518-474-0700 to make sure it has the right auto insurance listed because the DMV may now believe you’ve changed your insurance.
• Check your credit with all three agencies – Transunion, Equifax, and Experian, here.
• Freeze your credit with all three. We know your identity is now compromised. The freeze assures us that thieves can’t open new lines of credit in your name.
  • Equifax freeze.
  • Experian freeze.
  • Transunion freeze.
• Report this crime to the New York State Department of Financial Services here.