Cyber Incident Victim: American Family Insurance

Between February 6 and March 19, 2021, unauthorized parties executed an automated bot attack against American Family Mutual Insurance Company’s online quoting platform. The attackers exploited personal information—including names and addresses—obtained from unknown external sources to submit fraudulent insurance quote requests through the company’s website. This automated process successfully harvested driver’s license numbers associated with the submitted identities. American Family Insurance determined that individuals who did not actively request a quote during this timeframe were impacted, as the attackers used their identities without authorization. The breach specifically compromised driver’s license numbers, with no evidence suggesting exposure of financial data, Social Security numbers, or insurance policy details. The company identified 283,734 individuals potentially affected by the incident.

American Family Insurance initiated breach notifications on or around May 14, 2021, mailing letters signed by Privacy Director Chris Szafranski to all potentially impacted parties. The notifications clarified that individuals who had legitimately requested quotes during the attack window were not affected. The company warned that stolen driver’s license numbers could facilitate fraudulent unemployment benefit applications and advised recipients to scrutinize communications from state unemployment agencies. Affected individuals received guidance on identifying misuse of their data and were offered complimentary credit monitoring services. No technical remediation measures—such as platform takedowns or credential resets—were disclosed in the notification, though the bot attack vector implied exploitation of functional weaknesses in the quoting system’s access controls. The incident’s primary documented consequence remained the risk of identity theft tied to unemployment fraud schemes leveraging exposed driver’s license information.