From a March 20 press release from NY Attorney General Letitia James:
NEW YORK – New York Attorney General Letitia James today secured $975,000 in penalties from Root, an auto insurance company, for failing to protect the personal information of approximately 45,000 New Yorkers. The data breach was part of an industry-wide campaign to steal consumers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications. The data thieves then used some of the stolen driver’s license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic. Root does not offer insurance in New York, but the company’s security failures allowed scammers to gain access to New Yorkers’ driver’s license numbers and personal information. Attorney General James recently secured $5.1 million from GEICO and Travelers, as well as $500,000 from Noblr, for also failing to protect New Yorkers’ data. Today’s settlement brings the total amount secured from auto insurance companies for their failure to protect New Yorkers’ data to $6.57 million.
“When companies have poor data security practices, they put individuals at risk of identity theft and other fraud,” said Attorney General James. “Auto insurance companies need to make sure that the systems they use to store people’s data are protected to prevent cybercriminals from stealing driver’s license numbers, Social Security numbers, and other private information. Today’s settlement should send a message to companies in the auto insurance industry that my office will take action to protect New Yorkers’ private information.”
Root is an insurance company that allows consumers to obtain a price quote through its website. After limited personal information was entered, the online quoting tool “pre-filled” personal information such as driver’s license numbers. Root’s system exposed full, plaintext driver’s license numbers in a PDF generated at the end of the auto quote process.
In January 2021, Root discovered bad actors exploiting the prefill vulnerability. The Office of the Attorney General (OAG) found that Root failed to perform adequate risk assessments on its public-facing web applications, did not identify the plain text exposure of consumer personal information, and employed insufficient controls to thwart automated attacks. Approximately 45,000 New Yorkers were impacted by the Root attack.
The OAG investigation determined that the insurance company failed to adopt reasonable safeguards to protect private information. In addition to paying $975,000 in penalties, Root is required to enhance its data security, including by:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
- Developing and maintaining a data inventory of private information and ensuring such information is protected by reasonable safeguards;
- Maintaining reasonable authentication procedures for access to private information; and
- Maintaining a logging and monitoring system as well as reasonable policies and procedures designed to properly configure the system to alert of suspicious activity.
Attorney General James is a leader in holding companies accountable for having poor cybersecurity. In March 2025, Attorney General James sued Allstate Insurance for failing to protect New Yorkers’ information, causing more than 165,000 New Yorkers’ information to be exposed. In December 2024, Attorney General James announced a $500,000 settlement with Noblr auto insurance for inadequate data security. In November 2024, Attorney General James and Department of Financial Services Superintendent Adrienne Harris secured $11.3 million from GEICO and Travelers for having poor data security. In October 2024, Attorney General James secured $2.25 million from a Capital Region health care provider for failing to protect the private information and medical data of New Yorkers. In August 2024, Attorney General James and a multistate coalition secured $4.5 from a biotech company for failing to protect patient data. In July 2024, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. In April 2023, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices.
This matter was led by Assistant Attorneys General Gena Feist and Laura Mumm, and former Assistant Attorneys General Hanna Baek and Ezra Sternstein, Data Security Analyst Nishaant Goswamy, and former Internet and Technology Analyst Joe Graham, under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger of the Bureau of Internet and Technology. Data analysis was provided by Data Analyst Casey Marescot and Data Scientist Blythe Davis, under the supervision of Deputy Director Gautam Sisodia, Director Victoria Khan, former Deputy Director Megan Thorsfeldt, and former Director Jonathan Werberg of the Research and Analytics Department. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.