Attorney General James and DFS Superintendent Harris Secure 113 Million from Auto Insurance Companies over Data Breaches

pNEW YORK New York Attorney General Letitia James and New York State Department of Financial Services DFS Superintendent Adrienne A Harris today secured 113 million in penalties from two auto insurance companies the Government Employees Insurance Company GEICO and The Travelers Indemnity Company Travelers for having poor data security which led to the personal information of more than 120000 New Yorkers being compromised These events were part of an industrywide campaign by hackers to steal consumers personal information including drivers license numbers and dates of birth from online automobile insurance quoting applications including those used by GEICO and Travelers The hackers then used some of the stolen drivers license information to file fraudulent unemployment claims at the height of the COVID19 pandemic The OAG investigation concluded that the auto insurance companies did not implement sufficient data security controls to protect consumers private information The DFS investigation concluded that the auto insurance companies did not comply with DFSs cybersecurity regulation that requires them to implement policies procedures and controls designed to protect consumer data and the financial institutions themselves As a result of todays settlements GEICO will pay 975 million in penalties and Travelers will pay 155 millionppGEICO and Travelers offer drivers protection during times of emergencies but these companies failed to protect consumers personal information said Attorney General James Data breaches can lead to serious fraud and that is why it is important for all companies to take cybersecurity and data protection seriously I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumersppDFSs groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions said Superintendent Adrienne Harris These enforcement actions reinforce the Departments commitment to ensuring that all licensees especially those entrusted with consumer financial information like GEICO and Travelers uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats I thank the Attorney Generals office for their coordination during these investigationsppStarting in November 2020 GEICO experienced a series of cyberattacks on its auto insurance quoting tools Hackers were able to obtain New Yorkers drivers license numbers from GEICOs publiclyfacing website because GEICO failed to protect this information on the websites back end Despite being notified by DFS of an industrywide cyberattack campaign to obtain drivers license numbers and suffering disclosing and remediating separate cybersecurity incidents GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks After GEICO remediated  its website vulnerabilities hackers exploited vulnerabilities in GEICOs insurance agents quoting tool a separate platform from the consumerfacing insurance quotes website The personal information of approximately 116000 New York residents was exposed in the GEICO cyberattacks with the vast majority being lifted from GEICOs insurance agents quoting tool Some of the exposed data was later used to file unemployment claims during the COVID19 pandemic ppTravelers experienced a cyberattack on its auto insurance quoting tool for independent agents Between January and April 2021 Travelers received several industry alerts warning that hackers were obtaining drivers license numbers through insurance quoting tools In April 2021 hackers gained access to Travelers agent portal through the use of compromised agent credentials which allowed users to generate reports that included consumers full drivers license numbers in plain text The insurance agent portal was password protected but did not use multifactor authentication or any other compensating controls making it easier to exploit Travelers did not detect the breach of its agent portal for more than seven months and was alerted to the attack by a thirdparty prefill data provider The Travelers attack exposed the personal information of approximately 4000 New YorkersppTodays agreements require GEICO and Travelers to significantly enhance their security and pay penalties to the state GEICO will pay 9750000 in penalties of which OAG secured 4750000 and DFS secured 5 million Travelers will pay 1550000 in penalties of which OAG secured 350000 and DFS secured 1200000ppIn addition to the penalties the OAG settlement agreement requires the companies to adopt a series of measures aimed at strengthening their cybersecurity practices going forward includingppAs part of this settlement with DFS GEICO agreed to conduct remedial measures including a comprehensive cybersecurity risk assessment and penetration testing and the development of an action plan to address any resulting concerns Travelers agreed to review its systems assess access controls and improve protections against unauthorized access to NPI nonpublic personal informationppAttorney General James thanks the New York State Department of Labors Office of Special Investigations for their work on this matter ppAttorney General James has taken several actions to hold companies accountable for having poor cybersecurity and to improve data security practices In October 2024 Attorney General James secured 225 million from a Capital Region health care provider for failing to protect the private information and medical data of New Yorkers In August 2024 Attorney General James and a multistate coalition secured 45 from a biotech company for failing to protect patient data In July Attorney General James launched two privacy guides a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web to help businesses and consumers protect themselves In July Attorney General James also issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach In April 2023 Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices In January 2022 Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumersppThese matters were led for OAG by former Assistant Attorneys General Hanna Baek and Ezra Sternstein with assistance from Assistant Attorneys General Gena Feist and Laura Mumm Senior Enforcement Counsel Jordan Adler Data Security Analyst Nishaant Goswamy and former Internet and Technology Analyst Joe Graham under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger of the Bureau of Internet and Technology  Data analysis was provided by Data Analyst Casey Marescot and Data Scientist Blythe Davis under the supervision of Deputy Director Gautam Sisodia Director Victoria Khan former Deputy Director Megan Thorsfeldt and former Director Jonathan Werberg of the Research and Analytics Department  The Bureau of Internet and Technology is a part of the Division for Economic Justice which is led by Chief Deputy Attorney General Chris DAngelo and overseen by First Deputy Attorney General Jennifer Levy  ppWe value your privacyWe use cookies to enhance your browsing experience improve our content delivery and analyze our traffic We do not use cookies for advertising or marketing purposes By using this website you consent to our use of cookies You can learn more about how we collect and use information by reviewing our privacy policyp