DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Attorney General James and DFS Superintendent Harris Secure $11.3 Million from Auto Insurance Companies over Data Breaches

Posted on November 25, 2024 by Dissent

NEW YORK – New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris today secured $11.3 million in penalties from two auto insurance companies, the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers), for having poor data security which led to the personal information of more than 120,000 New Yorkers being compromised. These events were part of an industry-wide campaign by hackers to steal consumers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications, including those used by GEICO and Travelers. The hackers then used some of the stolen driver’s license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic. The OAG investigation concluded that the auto insurance companies did not implement sufficient data security controls to protect consumers’ private information. The DFS investigation concluded that the auto insurance companies did not comply with DFS’s cybersecurity regulation that requires them to implement policies, procedures, and controls designed to protect consumer data and the financial institutions themselves. As a result of today’s settlements, GEICO will pay $9.75 million in penalties and Travelers will pay $1.55 million.

“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” said Attorney General James. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously. I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumers.”

“DFS’s groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions,” said Superintendent Adrienne Harris. “These enforcement actions reinforce the Department’s commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats. I thank the Attorney General’s office for their coordination during these investigations.”

Starting in November 2020, GEICO experienced a series of cyberattacks on its auto insurance quoting tools. Hackers were able to obtain New Yorkers’ driver’s license numbers from GEICO’s publicly-facing website because GEICO failed to protect this information on the website’s back end. Despite being notified by DFS of an industry-wide cyberattack campaign to obtain driver’s license numbers, and suffering, disclosing, and remediating separate cybersecurity incidents, GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks. After GEICO remediated  its website vulnerabilities, hackers exploited vulnerabilities in GEICO’s insurance agents’ quoting tool, a separate platform from the consumer-facing insurance quotes website. The personal information of approximately 116,000 New York residents was exposed in the GEICO cyberattacks, with the vast majority being lifted from GEICO’s insurance agents’ quoting tool. Some of the exposed data was later used to file unemployment claims during the COVID-19 pandemic.

Travelers experienced a cyberattack on its auto insurance quoting tool for independent agents. Between January and April 2021, Travelers received several industry alerts warning that hackers were obtaining driver’s license numbers through insurance quoting tools. In April 2021, hackers gained access to Travelers’ agent portal through the use of compromised agent credentials, which allowed users to generate reports that included consumers’ full driver’s license numbers in plain text. The insurance agent portal was password protected but did not use multifactor authentication or any other compensating controls, making it easier to exploit. Travelers did not detect the breach of its agent portal for more than seven months and was alerted to the attack by a third-party prefill data provider. The Travelers attack exposed the personal information of approximately 4,000 New Yorkers.

Today’s agreements require GEICO and Travelers to significantly enhance their security and pay penalties to the state. GEICO will pay $9,750,000 in penalties, of which OAG secured $4,750,000 and DFS secured $5 million. Travelers will pay $1,550,000 in penalties, of which OAG secured $350,000 and DFS secured $1,200,000.

In addition to the penalties, the OAG settlement agreement requires the companies to adopt a series of measures aimed at strengthening their cybersecurity practices going forward, including:

  • Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
  • Developing and maintaining a data inventory of private information and ensuring the information is protected by safeguards;
  • Maintaining reasonable authentication procedures for access to private information;
  • Maintaining a logging and monitoring system as well as reasonable policies and procedures designed to properly configure such system to alert on suspicious activity; and
  • Enhancing their threat response procedures.

As part of this settlement with DFS, GEICO agreed to conduct remedial measures, including a comprehensive cybersecurity risk assessment and penetration testing, and the development of an action plan to address any resulting concerns. Travelers agreed to review its systems, assess access controls, and improve protections against unauthorized access to NPI (nonpublic personal information).

Attorney General James thanks the New York State Department of Labor’s Office of Special Investigations for their work on this matter.

Attorney General James has taken several actions to hold companies accountable for having poor cybersecurity and to improve data security practices. In October 2024, Attorney General James secured $2.25 million from a Capital Region health care provider for failing to protect the private information and medical data of New Yorkers. In August 2024, Attorney General James and a multistate coalition secured $4.5 from a biotech company for failing to protect patient data. In July, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. In July, Attorney General James also issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach. In April 2023, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In January 2022, Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumers.

These matters were led for OAG by former Assistant Attorneys General Hanna Baek and Ezra Sternstein, with assistance from Assistant Attorneys General Gena Feist and Laura Mumm, Senior Enforcement Counsel Jordan Adler, Data Security Analyst Nishaant Goswamy, and former Internet and Technology Analyst Joe Graham, under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger of the Bureau of Internet and Technology.  Data analysis was provided by Data Analyst Casey Marescot and Data Scientist Blythe Davis, under the supervision of Deputy Director Gautam Sisodia, Director Victoria Khan, former Deputy Director Megan Thorsfeldt, and former Director Jonathan Werberg of the Research and Analytics Department.  The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.

Source: NYS Attorney General Letitia James

Related posts:

  • Attorney General James Secures $500,000 from Auto Insurance Company Over Data Breach
  • Attorney General James Secures $975,000 from Auto Insurance Company over Data Breach
  • NYS announces $8 Million Penalty Against Genesis Global Trading, Inc. After DFS Investigation Finds Significant Failings in Anti-Money Laundering and Cybersecurity Programs
  • Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information
Category: Breach IncidentsBusiness SectorOf NoteU.S.

Post navigation

← Irish researcher finds 1.1 million NHS employee records were leaked
Ca: LifeLab loses its last attempt to withhold data breach forensics report from public eyes →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity
  • Patient death at London hospital linked to cyber attack on NHS
  • ShinyHunters and team members arrested in France (2)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.