
AssuranceAmerica confirmed a breach exposing nearly 7 million driver’s licenses after hackers compromised an employee account and stole customer data.
U.S. auto insurer AssuranceAmerica has confirmed a data breach affecting nearly 7 million people, making it the largest known theft of Americans’ driver’s license information in 2026.
“In a data breach notice sent to customers and seen by TechCrunch, AssuranceAmerica said it discovered hackers in its computer systems on March 17.” TechCrunch reported. “The company concluded its investigation on June 15, finding that the hackers had stolen customers’ names, contact information, and driver’s license numbers.”
The company operates across more than a dozen states through a network of over 9,500 independent agents, handling large volumes of customer identity and vehicle data. Notification letters go out July 10.
The attack vector was a compromised employee credential; how that credential was stolen, whether through phishing, infostealer malware, or a third-party compromise, hasn’t been disclosed.
“On March 17, 2026, the Company detected suspicious activity involving certain Company systems that appears to have resulted from malicious activity on March 16, 2026 that targeted one of theCompany’s employees. The Company promptly began an investigation and engaged external computer forensic specialists to help determine what occurred and what data may have been impacted.” reads the data breach notification.
AssuranceAmerica detected the breach on March 17 but didn’t finish reviewing the affected files until June 15, three months later. The company disabled the compromised credentials, cut off unauthorized sessions, isolated affected systems, and notified law enforcement.
The data stolen covers a wide range of customer information, including names, contact details, and driver’s license numbers. The company hasn’t specified what other personal data types were taken, which is a gap that tends to frustrate regulators and affected customers alike.
“During the investigation, the Company determined that an unauthorized third party accessed certain portions of the Company’s informational technology (IT) environment and copied certain data files.” continues the notification.”The Company subsequently conducted a review of the affected files to identify individuals whose personal information may have been contained within those files. Because of the nature of the files involved and the scope of the required review, this file evaluation process was only recentlycompleted (on June 15, 2026), and we are now providing this notice.”
In response to the incident, the company disabled compromised credentials, removed unauthorized sessions, isolated affected systems, notified law enforcement, and strengthened security controls with password resets, monitoring, and employee training.
“The Company has taken, and continues to take, steps to prevent a similar incident from happening in the future. After detecting the activity, the Company disabled compromised credentials, terminated unauthorized sessions, isolated affected systems as appropriate, and notified law enforcement,” continues the notification. “The Company also implemented additional measures designed to enhance the security of its IT systems and data, including resetting passwords, deploying enhanced monitoring and threat detection tools, and providing additional instruction to personnel regarding cybersecurity threats.”
In June, the Texas Parks and Wildlife Department (TPWD) disclosed a data breach affecting around 3 million individuals after a third-party vendor used for hunting and fishing license sales was compromised.
The Texas Parks and Wildlife Department (TPWD) is the state agency responsible for managing and protecting Texas’s natural and recreational resources.
Hackers may have accessed email addresses, physical addresses, phone numbers, driver’s license details, and passport numbers.
The incident was identified through Texas Cyber Command and highlights risks tied to third-party service providers.
Driver’s license numbers are useful for fraud and impersonation in ways that, say, a leaked email address isn’t, they tie directly to identity verification systems used by financial institutions, government services, and increasingly by websites and apps demanding age verification. The more those systems expand, the more valuable license data becomes to attackers, and the bigger the incentive to go after the insurers, governments, and services that hold it.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)




