The State of New York has secured an $11.3m settlement from two car insurance companies over the breach of sensitive data of more than 120,000 of its citizens.
Poor data security practices led to the data breaches according to the New York Attorney General and State Department of Financial Services (DFS).
The two firms, the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers), “failed to protect consumers’ personal information,” according to New York Attorney General Letitia James.
“Data breaches can lead to serious fraud and that is why it is important for all companies to take cybersecurity and data protection seriously,” she added.
Some of stolen driver’s license information exposed in the GEICO breach was used to file fraudulent unemployment claims at the height of the COVID-19 pandemic.
An investigation by the DFS concluded that the companies failed to comply with DFS’s cybersecurity regulation that requires them to implement policies, procedures and controls designed to protect consumer data and the financial institutions themselves.
A separate investigation by the New York Attorney General concluded that the auto insurance companies did not implement sufficient data security controls to protect consumers’ private information.
As a result of the settlements, GEICO will pay a total of $9.75m in penalties and Travelers $1.55m to the State of New York.
In addition to the financial penalties, the firms have agreed to adopt a series of measures aimed at strengthening their cybersecurity practices, including:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information
- Developing and maintaining a data inventory of private information and ensuring the information is protected by safeguards
- Maintaining reasonable authentication procedures for access to private information
- Maintaining a logging and monitoring system, as well as reasonable policies and procedures designed to properly configure such system to alert on suspicious activity
- Enhancing threat response procedures
Read now: Marriott Agrees $52m Settlement for Massive Data Breach
Cybersecurity Failings Led to Breaches
The GEICO data breach began in November 2020, when the firm experienced a series of cyber-attacks on its auto insurance quoting tools.
The hackers were able to obtain New Yorkers’ driver’s license numbers from GEICO’s publicly facing website because the firm failed to protect this information on the website’s back end.
The DFS said that despite being notified by DFS of an industry-wide cyber-attack campaign to obtain driver’s license numbers, GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyber-attacks.
Threat actors subsequently exploited vulnerabilities in GEICO’s insurance agents’ quoting tool, a separate platform from the consumer-facing insurance quotes website.
The personal data of approximately 116,000 New York residents was exposed in the GEICO attacks, with the vast majority accessed from GEICO’s insurance agents’ quoting tool.
In April 2021, hackers gained access to Travelers’ agent portal through the use of compromised agent credentials, allowing them to generate reports that included consumers’ full driver’s license numbers in plain text.
The portal did not use multifactor authentication (MFA) or any other compensating controls, making it easier to exploit. This is despite Travelers receiving several industry alerts warning that hackers were obtaining driver’s license numbers through insurance quoting tools between January and April 2021.
Travelers did not detect the breach of its agent portal for more than seven months and was only alerted to the attack by a third-party prefill data provider.
The incident exposed the personal information of approximately 4000 New Yorkers.