New York Attorney General Letitia James and New York State Department of Financial Services Superintendent Adrienne A. Harris have reached a settlement with two auto insurance companies over data breaches that compromised the personal information of more than 120,000 New Yorkers. The Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers) will pay a combined total of $11.3 million in penalties for inadequate data security practices.
The investigation revealed that both companies failed to implement sufficient cybersecurity measures, leading to the exposure of consumers' personal information, including driver's license numbers and dates of birth. Hackers exploited these vulnerabilities to file fraudulent unemployment claims during the COVID-19 pandemic.
Attorney General James stated, "GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information." She emphasized the importance of robust cybersecurity measures to prevent fraud.
Superintendent Harris added, “DFS’s groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions.” She highlighted the commitment to enforcing regulations that safeguard consumer financial information.
Starting in November 2020, GEICO experienced cyberattacks on its quoting tools due to inadequate protection on its website's back end. Despite warnings from DFS about an industry-wide campaign targeting driver's license numbers, GEICO did not conduct a comprehensive review to enhance its systems against future attacks. As a result, approximately 116,000 New Yorkers had their personal information exposed through GEICO's insurance agents' quoting tool.
Similarly, Travelers faced a cyberattack between January and April 2021 when hackers accessed their agent portal using compromised credentials. This breach went undetected for over seven months until identified by a third-party provider. Around 4,000 New Yorkers were affected by this incident.
The settlements require both companies to enhance their security measures significantly. GEICO will pay $9.75 million in penalties while Travelers will pay $1.55 million. In addition to financial penalties, they are required to adopt improved cybersecurity practices such as maintaining comprehensive security programs and enhancing threat response procedures.
Attorney General James has actively pursued actions against companies with poor cybersecurity practices in recent years. These efforts include securing settlements from healthcare providers and biotech companies for failing to protect private data and issuing guides on privacy controls and identity theft protection services.
The investigations were led by various members of the Office of the Attorney General's Bureau of Internet and Technology under supervision from Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger.