Two auto insurance companies in New York have been slapped with hefty penalties for failing to adequately secure personal data, leading to a breach that compromised the information of over 12,000 state residents. Government Employees Insurance Co. (GEICO) and the Travelers Indemnity Co. have been fined a total of $11.3 million by the State of New York for what authorities described as “poor data security practices.”
The fines were announced by New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris. The violations occurred when cybercriminals were able to steal driver license numbers due to the insurers’ insufficient security measures. These stolen identities were then used to file fraudulent unemployment claims, particularly during the COVID-19 crisis.
According to officials, the insurers were found to be in violation of state regulations that require them to implement policies, procedures, and controls to safeguard consumer data and financial institutions. GEICO has been ordered to pay $9.75 million, while Travelers will pay $1.55 million in penalties.
In response to the fines, Attorney General Letitia James stated, “GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information. Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”
The breach at GEICO occurred in November 2020 when threat actors compromised the company’s auto insurance quoting tool, allowing them to access driver license numbers through the company’s website. Despite being alerted to industry-wide cyberattack campaigns and previous cybersecurity incidents, GEICO failed to conduct a thorough review of its systems to prevent future breaches.
Hackers then exploited a vulnerability in GEICO’s insurance agent quoting tool on a separate platform, exposing the personal information of around 116,000 New York residents. Similarly, Travelers was breached through a cyberattack on its auto insurance quoting tool used by independent agents, resulting in the exposure of data from 4,000 New Yorkers.
In addition to the financial penalties, both insurers have agreed to enhance their cybersecurity practices. This includes improving protections for private information, conducting comprehensive data inventories, implementing authentication protocols for accessing private data, enhancing logging and monitoring, and strengthening threat response planning and procedures.
GEICO has also committed to remedial measures such as risk assessment, penetration testing, and developing an action plan to address any issues identified. Travelers will review its systems, assess access controls, and enhance protections against unauthorized access to personal information.
Overall, the penalties and corrective actions imposed on GEICO and Travelers serve as a reminder of the importance of robust cybersecurity measures in safeguarding sensitive data and protecting consumers from fraud and identity theft. The State of New York is sending a clear message that companies must prioritize data security to prevent future breaches and uphold the trust of their customers.