US car insurer AssuranceAmerica has begun notifying customers of a data breach that exposed the personal information and driver license numbers of up to 6.9 million people. The company sells car and rental insurance across 14 US states through more than 9,500 independent agents.
What was taken
According to the company's breach notification, attackers were discovered inside AssuranceAmerica's systems on March 17, 2026, and an investigation completed on June 15 found they had stolen customers' names, contact details and driver license numbers. The notice also references auto-insurance policy details, information about customers' drivers and vehicles, and claims records. That combination, a full name paired with a driver license number, is exactly the kind of data used for identity theft and to open fraudulent accounts.
How it happened
Public breach notices and independent reporting indicate the intrusion began with a targeted phishing attack against a single employee. Once inside, an unauthorized third party reached parts of the insurer's IT environment and copied files containing customer policy information and license numbers. So far no vendor or law-enforcement report has linked the activity to a named ransomware operation or other threat group, and there is no public sign of a ransom demand or payment. AssuranceAmerica has not issued a public statement beyond its customer notifications. Large license-data exposures have become a recurring theme, as when a vendor breach exposed passport and license data of 3 million Texans.
What you should do
Affected customers should treat their license number as compromised. Watch for impersonation scams that reference AssuranceAmerica or your insurance policy, and verify any such contact through the company's official channels rather than replying directly. Consider placing a fraud alert or credit freeze, enable phishing-resistant two-factor authentication on important accounts, and set up identity monitoring so misuse of your data surfaces quickly. Because a single phishing email opened the door, the incident is also a reminder for organizations to harden email defenses and limit how much customer data any one account can reach.
Details are drawn from the breach disclosure.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.