7 million driver's licenses stolen: the biggest data breach of 2026
AssuranceAmerica suffers a massive cyberattack exposing identity data of nearly 7 million people, including driver's license numbers and possibly SSNs.
July 12, 2026 · 4 min read
TL;DR: AssuranceAmerica confirmed the theft of 6.99 million driver's licenses after a three-month attack. License numbers are permanent and highly valuable for fraud. It is the largest breach of its kind in 2026.
What happened?
On July 10, 2026, auto insurer AssuranceAmerica began notifying nearly 7 million people that their personal data and driver's license numbers were stolen in a cyberattack. According to the breach notice filed with the attorneys general of Indiana and Maine, hackers accessed its systems on March 16, 2026, one day before the company detected suspicious activity. The forensic investigation concluded on June 15, but those affected were not informed until almost four months after the attack.
The stolen data includes names, contact information, policy details, vehicle information, and crucially, driver's license numbers. Additional sources indicate that Social Security numbers and tax identification numbers may also have been compromised for a portion of those affected.
AssuranceAmerica, founded in 1998 and headquartered in Atlanta, provides auto and rental insurance to more than 9,500 agents in over a dozen U.S. states, primarily in the Southeast. The company operates in 14 states, including Alabama, Florida, Georgia, and Texas. The breach affects 6.99 million people, making it the largest leak of driver's license numbers in history.
Why is this important?
A driver's license is a high-value identity document on the black market. Unlike a password or credit card number, it cannot be changed. It is tied to physical data (height, weight, date of birth) and is used as primary verification in multiple processes, from car rentals to loan applications. With this information, an attacker can impersonate the victim persistently.
This incident is the largest data breach of driver's licenses reported to date, surpassing previous cases like Marriott or Equifax in terms of this specific data type. For context, the Equifax breach in 2017 affected 147 million people but only exposed Social Security numbers, not driver's licenses. The Marriott breach in 2018 affected 500 million guests, but identity data was limited. In contrast, this breach focuses on a physical identity document that is difficult to replace.
Moreover, the delay in notification (nearly four months) is concerning and may violate legal deadlines in several states. For example, in Texas companies must notify within 60 days, while in Florida it is 30 days. AssuranceAmerica has not issued a public statement on the reasons for the delay, but cybersecurity experts note that forensic investigation times are often long, though the company could have informed affected individuals earlier on a preliminary basis.
Consequences for those affected
- Risk of identity fraud: License numbers can be used to open accounts, apply for credit, or rent vehicles in the victim's name. According to a Javelin Strategy & Research study, identity fraud cost U.S. consumers $56 billion in 2025, and stolen identity documents are a key vector.
- Inability to renew: Unlike a credit card, the license number cannot be easily changed; only some states like California and New York allow requesting a new number after a breach, but the process is cumbersome and does not always guarantee the old number is invalidated.
- Long-term damage: Impersonation can affect credit history and take years to resolve. The Federal Trade Commission (FTC) recommends identity theft victims file a report and monitor their credit reports for at least one year.
AssuranceAmerica offers credit and identity monitoring services for 12 months through Kroll, but experts consider this insufficient given the permanent value of the license. Compared to other breaches, such as T-Mobile in 2021 which offered 2 years of protection, AssuranceAmerica's offer is modest. Additionally, credit monitoring does not detect fraudulent use of a driver's license in non-credit contexts, such as vehicle rentals or background checks.
What readers should know
If you are an AssuranceAmerica customer in the 14 states where it operates (primarily the southeastern U.S.), check if you have received a notification. Activate identity monitoring, freeze your credit, and report any suspicious activity. Consider requesting a new license number from your local DMV if possible; some states like Georgia and Florida allow this process after a breach, though it may require an affidavit.
This case underscores the need for companies to improve detection and notification times, and for regulators to enforce stricter deadlines for informing those affected. The AssuranceAmerica breach also highlights the vulnerability of the insurance sector, which handles large volumes of sensitive data. According to IBM's 2025 Cost of a Data Breach report, the financial and insurance sector has an average breach cost of $5.85 million, but reputational damage can be greater. AssuranceAmerica now faces potential class-action lawsuits and regulatory fines.
For users, the lesson is clear: in any breach involving identity documents, immediate action is crucial. Do not wait for the company to take steps; freeze your credit, monitor your accounts, and if possible, change your license number. Prevention and rapid response are the only defenses against identity theft that can last for years.