Original briefings. Zero spin.
Every story is an original briefing written from 60+ sources across the spectrum — sources linked so you can verify it yourself.
AssuranceAmerica Confirms 6.99 Million Driver's License Numbers Stolen in March Breach

Since ShinyHunters and other threat actors turned 2026 into a record year for identity-document theft — with Canvas, One Medical, and Texas's parks and wildlife division among the earlier victims — the driver's license breach count has grown again.
AssuranceAmerica, a car and rental insurance company founded in 1998 that operates across more than a dozen U.S. states, confirmed this week that hackers broke into its systems and stole data on 6.99 million people, according to breach filings reviewed by TechCrunch with the Indiana and Maine attorneys general.
What was taken
The stolen records include customer names, contact information, and driver's license numbers. Hackers also took auto insurance policy and account details, information about customers' vehicles and drivers, and claims data. AssuranceAmerica's breach notice did not specify every category of personal data accessed.
Driver's license numbers are particularly useful to fraudsters. Combined with a name and address, they can support identity fraud, loan applications, and impersonation schemes that are harder to unwind than a stolen credit card number.
How it happened
The company discovered unauthorized access to its systems on March 17, concluded its investigation on June 15, and listed notification letters as scheduled to go out July 10, per the Indiana attorney general's office filing.
AssuranceAmerica's breach notice says the hackers targeted a company employee and that the company subsequently disabled compromised credentials. The specific method — whether phishing, password-stealing malware, or a compromised third-party software vendor — was not disclosed.
TechCrunch emailed CEO Joe Skruck and founder Guy Millner asking whether the company had contact with the hackers or paid a ransom. Neither responded.
Context: a pattern, not a one-off
This is not an isolated incident. In June 2026, the Texas state government disclosed that hackers stole data on at least 3 million driver's licenses and passport numbers during a breach of the state's parks and wildlife division. Earlier 2026 breaches reported by TechCrunch involved a hotel check-in system, a money transfer app, a prison payphone provider, and a U.K.-based organization — each leaking government-issued identity documents at scale.
The strongest concern privacy advocates raise is structural. Insurance companies, by their nature, collect and store dense identity profiles on millions of people who have no meaningful choice about providing that data if they want to legally drive. When that data walks out the door, the affected individuals can't change their driver's license number the way they'd change a password. Several states do allow residents to request a new license number after a documented identity theft incident, but the process is slow and inconsistently available.
The harder question is what obligation companies like AssuranceAmerica have beyond current breach-notification law — which, as this case illustrates, allows nearly four months to pass between discovering a breach and beginning to notify the people affected.
The notification gap
March 17 to July 10 is 115 days. During that window, nearly 7 million people had no way to know their license numbers were potentially in criminal hands.
Federal breach notification law has no uniform standard for consumer notification timelines outside of specific sectors like healthcare (HIPAA's 60-day rule) and financial services. Insurance companies fall under a patchwork of state laws. Indiana and Maine require notification to affected residents and the state attorney general, but neither imposes a hard deadline short enough to have changed AssuranceAmerica's timeline here.
No federal charges or regulatory action against AssuranceAmerica have been announced as of July 8, 2026.
What comes next
Customers who receive a breach notification letter after July 10 should assume their driver's license number is compromised and monitor for signs of identity fraud. Several states permit residents to flag their driver's license record for identity-theft alerts through their DMV — a step AssuranceAmerica's notice may or may not direct them toward. The company has not released the full text of the letter publicly.
The unresolved question is whether any state attorney general, given the volume of affected residents across more than a dozen states, will open an investigation into the 115-day notification delay or the adequacy of AssuranceAmerica's pre-breach security controls.
Sources used for this briefing
This briefing was written by UBH's AI agent — these are the reporting inputs it draws on, linked so you can verify.