Lawsuit Says American Family Mutual, Midvale Indemnity Exposed Driver’s License Numbers Through Online Quote System

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims a security flaw in Midvale Indemnity Company and American Family Mutual Insurance Company’s online quoting system allowed consumers’ driver’s license numbers to be accessed by anyone who entered a person’s name, address and/or date of birth.

According to the 39-page case, American Family and subsidiary Midvale have failed to protect the sensitive information with which they were entrusted and instead exposed consumers’ private data to unauthorized parties for spans of time between January and March 2021. As a result, consumers’ personal information has been exposed to “those who should not have access to it,” and proposed class members face a “much higher risk” of identity theft and various cybercrimes, according to the suit.

“This means that for an unknown period of time between at least January 19 and March 19, 2021, Plaintiff’s and Class Members’ drivers’ license numbers were essentially publicly available to anyone on various Defendants’ online platforms due to Defendants’ lax security practices,” the complaint scathes.

The lawsuit says that both American Family and Midvale allow consumers to get a quote for auto insurance by typing some of their personal information into the companies’ quoting systems on amfam.com or midvaleinsurance.com. After a user enters their information, the defendants’ third-party “prefill supplier” then automatically fills in other details, such as the consumer’s driver’s license number, to provide a quote, the case says.

The suit alleges, however, that the defendants’ system was configured to allow “anyone with a few basic bits of data” to exploit the feature and obtain auto-filled information from the companies’ databases.

Per the case, the defendants were notified by their third-party prefill supplier on March 18, 2021 that hackers were using their insurance quote system to steal driver’s license numbers and addresses belonging to consumers, many of whom never applied for insurance with the companies or “were even necessarily aware of their existence.” According to the case, the Midvale quoting system was unlawfully accessed from January 19 to 29, 2021, while the American Family system was accessed between February 6 and March 19. American Family reported that “283,734 unique driver’s license numbers were returned in the prefill information for all quotes that were generated” during the affected timeframe, the suit says.

The case claims that although the defendants were on notice of the possibility of a data breach, they failed to comply with Federal Trade Commission requirements regarding data security. Per the suit, affected consumers were not notified of the data breach until May 2021.

Given the breadth of the breach and delayed notice of the incident, “it is reasonable for Plaintiff and Class Members in this case to believe that the risk of future harm (including identity theft) is substantial and imminent,” the lawsuit asserts.

The plaintiff, who says he has never requested a quote from the defendants and is not a customer of either company, was notified by the New York State Department of Labor that a claim for unemployment insurance benefits was filed using his identity, the case says. According to the lawsuit, the plaintiff was forced to spend time and energy researching how to respond to the theft of his information and reviewing his credit monitoring service results.

The lawsuit stresses that the consequences of the defendants’ failure to safeguard consumers’ personal information are “long lasting and severe” and may continue for years to come.

The plaintiff looks to represent anyone in the U.S. whose personal information was compromised in the unauthorized data disclosure announced by the defendants on or around May 14, 2021.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.