Cyber Incident Victim: Metromile
Date:
Feb 2021
Location:
United States of America
Summary
A car insurance startup experienced a security breach when a website vulnerability in its quote and application forms allowed unauthorized access to driver's license numbers. The company promptly addressed the flaw by deploying software fixes, engaged security experts and legal counsel for investigation, and initiated notifications to affected individuals and authorities. While confirming the compromise of driver's license data, the investigation remained ongoing at the time of disclosure. The incident coincided with significant corporate developments, including a major investment and plans to go public through a special acquisition deal.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early February 2021, Metromile, a San Francisco-based car insurance startup, disclosed a security breach stemming from a vulnerability in its website’s quote form and application process. The flaw enabled an unidentified hacker to access personal information, specifically driver’s license numbers, though the exact exploitation method and total number of affected individuals remained unconfirmed at the time of reporting. The company detected the incident and promptly implemented software fixes to remediate the bug, halting further unauthorized access. Metromile formally reported the breach in an 8-K filing with the U.S. Securities and Exchange Commission on February 2, 2021, confirming the compromise of sensitive data but providing no additional specifics regarding the attack’s duration or technical mechanisms. Immediate containment actions included notifying its insurance carrier and maintaining standard business operations while collaborating with external security experts and legal advisors to investigate the incident’s root cause.
The breach investigation remained ongoing as of the disclosure date, with spokesperson Rick Chen verifying that driver’s license numbers were definitively accessed but offering no timeline for completion. Metromile had not publicly acknowledged the incident through its website or social media channels, opting instead to directly notify impacted individuals at an unspecified future date. Regulatory bodies and law enforcement were expected to receive formal notifications pending further findings. The security incident coincided with significant corporate developments, including a $50 million investment from former Uber executive Ryan Graves and Metromile’s planned $1.3 billion public listing via a special purpose acquisition company (SPAC), though no direct operational or financial impacts from the breach were cited in the disclosure. The company emphasized its continued focus on implementing additional containment measures and refining remediation protocols throughout the investigative process.