Metromile says a website bug let a hacker obtain driver license numbers

Zack Whittaker
·1-min read
Close-up of logo for Metromile pay per mile car insurance company on a light wooden surface in San Ramon, California, July 6, 2018. (Photo by Smith Collection/Gado/Getty Images)

Car insurance startup Metromile said it has fixed a security flaw on its website that allowed a hacker to obtain driver license numbers.

The San Francisco-based insurance startup disclosed the security breach in its latest 8-K filing with the U.S. Securities and Exchange Commission.

Metromile said a bug in the quote form and application process on the company's website allowed the hacker to "obtain personal information of certain individuals, including individuals' driver's license numbers." It's not clear exactly how the form allowed the hacker to obtain driver license numbers or how many individuals had their driver license numbers obtained.

The disclosure added: "Metromile immediately took steps to contain and remediate the issue, including by releasing software fixes, notified its insurance carrier, and has continued its ongoing operations. Metromile is working diligently with security experts and legal counsel to ascertain how the incident occurred, identify additional containment and remediation measures, and notify affected individuals, law enforcement, and regulatory bodies, as appropriate."

Rick Chen, a spokesperson for Metromile, said the company has so far confirmed that driver license numbers were accessed, but that the "investigation is still ongoing."

Metromile has not disclosed the security incident on its website or its social channels. Chen said the company plans to notify affected individuals of the incident.

News of the security incident landed as the company confirmed a $50 million investment from former Uber executive Ryan Graves, who will also join the company's board. It comes just weeks after the auto insurance startup announced it was planning to go public via a special purpose acquisition company — or SPAC — in a $1.3 billion deal.