Monday, November 25

$11.3M Secured from GEICO, Travelers Over Data Breaches Exposing 120K New Yorkers’ Personal Information

(WNY News Now) In a historic settlement, DFS Superintendent Adrienne Harris and New York Attorney General Letitia James hold two large auto insurers responsible for cybersecurity breaches that exposed the private data of thousands of New Yorkers.

NEW YORK Two auto insurance companies, the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers), were fined $11.3 million today by New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris for their inadequate data security, which resulted in the compromise of the personal data of over 120,000 New Yorkers. These incidents were a part of an industry-wide hacker attempt to steal customer data from online car insurance quote applications, such as those used by Travelers and GEICO, including driver’s license numbers and dates of birth. At the height of the COVID-19 outbreak, the hackers then filed false unemployment claims using part of the stolen driver’s license information. According to the OAG’s inquiry, the vehicle insurance companies failed to put in place adequate data security measures to safeguard the private information of their customers. The auto insurance businesses were found to have violated DFS’s cybersecurity law, which mandates that they put in place policies, processes, and controls aimed at safeguarding customer information and the financial institutions themselves. Travelers will pay $1.55 million and GEICO will pay $9.75 million in fines as a result of today’s settlements.

Attorney General James claimed that although GEICO and Travelers provide drivers with emergency protection, they did not safeguard the private information of their customers. Since major fraud can result from data breaches, it is critical that all businesses take cybersecurity and data protection seriously. I express my gratitude to the Department of Labor and the Department of Financial Services for their collaboration and ongoing efforts to hold businesses responsible when they do not safeguard consumers.

According to Superintendent Adrienne Harris, DFS’s innovative cybersecurity rule lays the groundwork for guaranteeing the protection of private customer information and the robustness of financial institutions. The Department’s commitment to ensuring that all licensees, particularly those entrusted with consumer financial information like GEICO and Travelers, fulfill their obligation to put strong safeguards in place that protect New Yorkers from potential data breaches and cyber threats is reaffirmed by these enforcement actions. For their cooperation during these investigations, I am grateful to the Attorney General’s office.

See also  Niagara Falls Gang Member Sentenced to Prison in Federal Drug Case

A series of cyberattacks on GEICO’s auto insurance quote tools began in November 2020. Due to GEICO’s failure to secure this data on the website’s back end, hackers were able to get New Yorkers’ driver’s license numbers from the company’s publicly accessible website. Despite experiencing, revealing, and fixing individual cybersecurity problems, as well as being informed by DFS of an industry-wide hacker campaign to steal driver’s license numbers, GEICO neglected to perform a thorough assessment of its systems to stop and identify future intrusions. Hackers took use of flaws in GEICO’s insurance agents quoting tool, which is a different platform from the consumer-facing insurance quotes website, after the company fixed its website vulnerabilities. The GEICO cyberattacks revealed the personal data of about 116,000 people in New York, the great majority of whom had their information stolen from GEICO’s insurance agents’ quote tool. During the COVID-19 epidemic, some of the leaked data was later utilized to submit jobless claims.

Travelers’ independent agent auto insurance quote tool was the target of a hack. Travelers received many industry notifications between January and April 2021 alerting them to the fact that hackers were using insurance quote platforms to get driver’s license numbers. Hackers used compromised agent credentials to access the Travelers agent site in April 2021, enabling users to create reports that contained customers’ complete driver’s license information in plain text. Despite having a password, the insurance agent site lacked multifactor authentication and other compensating safeguards, which made it more vulnerable to hacking. A third-party prefill data provider notified travelers of the intrusion after they had been unaware of the agent portal breach for over seven months. About 4,000 New Yorkers’ personal information was made public by the Travelers assault.

See also  Former Jewelry Store Manager Sentenced to Probation for $100K Theft

According to today’s agreements, Travelers and GEICO must pay fines to the state and drastically improve their security. OAG obtained $4,750,000 and DFS obtained $5 million of the $9,750,000 in penalties that GEICO would pay. OAG and DFS collected $350,000 and $1,200,000 of the $1,550,000 in penalties that travelers would pay.

Along with the fines, the OAG settlement agreement mandates that the businesses implement a number of actions to improve their cybersecurity procedures moving ahead, such as:

keeping up a thorough information security program intended to safeguard the integrity, confidentiality, and security of personal data;creating, keeping up, and making sure that a data inventory of private information is safeguarded by safeguards;preserving appropriate authentication protocols for private data access;enhancing their threat response protocols; keeping up a logging and monitoring system; and establishing appropriate policies and processes intended to appropriately setup such a system to notify of suspicious activities.

GEICO agreed to carry out corrective actions as part of its settlement with DFS, which included a thorough cybersecurity risk assessment and penetration testing as well as the creation of an action plan to resolve any issues that may arise. Travelers committed to evaluating access restrictions, reviewing its systems, and strengthening safeguards against illegal access to nonpublic personal information (NPI).

Attorney General James acknowledges the efforts of the Office of Special Investigations of the New York State Department of Labor.

Attorney General James has made a number of steps to tighten data security procedures and make businesses responsible for their inadequate cybersecurity. Attorney General James obtained $2.25 million in October 2024 from a healthcare provider in the Capital Region for neglecting to safeguard the medical records and personal information of New Yorkers. A multistate coalition led by Attorney General James obtained $4.5 from a biotech corporation in August 2024 for its failure to protect patient data. Attorney General James released two privacy guides in July to assist consumers and businesses in protecting themselves: a Consumer Guide to Tracking on the Web and a Business Guide to Website Privacy Controls. Attorney General James also sent a consumer alert in July to inform millions of customers affected by the Change Healthcare data leak about free identity theft protection and credit monitoring services. Attorney General James published a thorough data security guide in April 2023 to assist businesses in improving their data security procedures. Attorney General James published a business guide on credential stuffing assaults in January 2022, outlining steps for companies to take to safeguard both customers and themselves.

See also  Man Sentenced to 11 Years After Police Find Gun and $700,000 in Cocaine in Wardrobe

Under the direction of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger of the Bureau of Internet and Technology, these cases were led for OAG by former Assistant Attorneys General Hanna Baek and Ezra Sternstein, with support from Assistant Attorneys General Gena Feist and Laura Mumm, Senior Enforcement Counsel Jordan Adler, Data Security Analyst Nishaant Goswamy, and former Internet and Technology Analyst Joe Graham. Under the direction of Deputy Director Gautam Sisodia, Director Victoria Khan, former Deputy Director Megan Thorsfeldt, and former Director Jonathan Werberg of the Research and Analytics Department, Data Scientist Blythe Davis and Data Analyst Casey Marescot performed the data analysis. First Deputy Attorney General Jennifer Levy is in charge of the Division for Economic Justice, which includes the Bureau of Internet and Technology. Chief Deputy Attorney General Chris D. Angelo leads this division.

Leave a Reply

Your email address will not be published. Required fields are marked *