(WNY News Now) Noblr, an auto insurance firm, has agreed to pay Attorney General Letitia James $500,000 for failing to protect the private data of more than 80,000 New Yorkers.
NEW YORK Today, New York Attorney General Letitia James obtained $500,000 from Noblr, an auto insurance firm, for failing to secure over 80,000 New Yorkers’ personal information after a data breach. Scammers used the data breach as part of a larger industry-wide effort to get personal data from online car insurance quote forms, including dates of birth and driver’s license numbers. At the height of the COVID-19 outbreak, the scammers then filed false jobless claims using part of the stolen driver’s license information. The total amount recovered from vehicle insurance firms for cybersecurity lapses now stands at $5.6 million after Attorney General James held Travelers and GEICO responsible for failing to protect the personal information of New Yorkers in addition to Noblr.
According to Attorney General James, auto insurance firms provide drivers with emergency protection, but they also need to safeguard their personal data from fraudsters and hackers. Due to Noblr’s failure to secure its data systems, scammers were able to easily get the personal information of New Yorkers and use part of that information to falsely apply for unemployment benefits. We are reminding all businesses that cybersecurity must be their top priority and holding Noblr accountable today for their carelessness with the personal information of New Yorkers.
Through an online insurance quoting tool, customers can get a pricing quote from Noblris, an insurance provider. Full, unencrypted driver’s license numbers were made public by Noblr’s quoting tool in a variety of ways, such as on the website’s backend and in PDFs produced after a transaction. Additionally, despite the fact that Noblr does not provide insurance products in New York, it did not prevent users from providing the personal information of New York residents.
In January 2021, Noblr found scammers taking use of the prefill vulnerability. Delays in identifying the attack resulted from Noblr’s failure to continuously monitor site traffic. Additionally, it was challenging to discern fraudulent activity from genuine customer inquiries due to the site’s lack of traffic monitoring. The information of almost 80,000 people in New York was made public by the attack on Noblr’s auto-quoting function.
The insurance business did not implement appropriate precautions to protect private information, according to the Office of the Attorney General’s inquiry. Noblr must improve its data security in addition to paying $500,000 in fines, which includes:
-
Enhancing its web application defenses;
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
-
Developing and maintaining a data inventory of private information and ensuring such information is protected by reasonable safeguards;
- Maintaining reasonable authentication procedures for access to private information; and
- Maintaining a logging and monitoring system to alert on suspicious activity within their systems.
Attorney General James has taken several actions to hold companies accountable for having poor cybersecurity and to improve data security practices. Last month, Attorney General James and DFS Superintendent Adrienne Harrissecured $11.3 million from GEICO and Travelers for having poor data security. In October 2024, Attorney General Jamessecured $2.25 million from a Capital Region health care providerfor failing to protect the private information and medical data of New Yorkers. In August 2024, Attorney General James and a multistate coalitionsecured $4.5 from a biotech companyfor failing to protect patient data. In July, Attorney General James launched two privacy guides,a Business Guide to Website Privacy Controlsanda Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. In July, Attorney General James alsoissued a consumer alertto raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach. In April 2023, Attorney General Jamesreleased a comprehensive data security guideto help companies strengthen their data security practices. In January 2022, Attorney General James releaseda business guide for credential stuffing attacksthat detailed how businesses could protect themselves and consumers.
Under the direction of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger of the Bureau of Internet and Technology, this case was led by Assistant Attorneys General Gena Feist and Laura Mumm, former Assistant Attorneys General Hanna Baek and Ezra Sternstein, Data Security Analyst Nishaant Goswamy, and former Internet and Technology Analyst Joe Graham. Data analysis was provided by Data Analyst Casey Marescot and Data Scientist Blythe Davis, under the supervision of Deputy Director Gautam Sisodia, Director Victoria Khan, former Director Megan Thorsfeldt, and former Director Jonathan Werberg of the Research and Analytics Department. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D Angelo and overseen by First Deputy Attorney General Jennifer Levy.
Share this:
Note: Every piece of content is rigorously reviewed by our team of experienced writers and editors to ensure its accuracy. Our writers use credible sources and adhere to strict fact-checking protocols to verify all claims and data before publication. If an error is identified, we promptly correct it and strive for transparency in all updates, feel free to reach out to us via email. We appreciate your trust and support!