New York Attorney General Letitia James has reached a $500,000 settlement with auto insurance company Noblr over a data breach that compromised the personal information of more than 80,000 New Yorkers. This incident was part of a broader scheme where scammers targeted online automobile insurance quoting applications to extract sensitive information such as driver’s license numbers and birth dates. Some of this stolen data was used to file fraudulent unemployment claims during the COVID-19 pandemic.
Attorney General James emphasized the responsibility of auto insurance companies to protect customer data: “Auto insurance companies offer drivers protection during emergencies, but they must also protect their personal information from hackers and scammers,” she stated. “Noblr failed to secure its data systems making it easy for scammers to steal New Yorkers’ information and use some of the stolen information to fraudulently obtain unemployment benefits. Today we are holding Noblr accountable for being reckless with New Yorkers’ personal data and reminding all companies that they must prioritize cybersecurity.”
The Office of the Attorney General found that Noblr's online quoting tool left full driver’s license numbers exposed in several ways, including on their website's backend and in purchase-generated PDFs. Despite not offering insurance products in New York, Noblr did not restrict users from entering New York residents' personal details.
The vulnerability was identified by Noblr in January 2021, yet the company did not monitor site traffic in real time, which delayed detection of malicious activities. This failure resulted in approximately 80,000 New Yorkers' data being compromised.
As part of the settlement, Noblr is required to enhance its cybersecurity measures. These improvements include bolstering web application defenses, maintaining a comprehensive security program, developing a protected data inventory, implementing reasonable authentication procedures, and establishing a system to monitor suspicious activity.
This action is part of Attorney General James' broader effort to enforce stronger cybersecurity practices among companies. Recently, settlements were secured from GEICO and Travelers amounting to $11.3 million for similar security lapses. Earlier actions include penalties against a Capital Region healthcare provider and a biotech firm for inadequate data protection.
Assistant Attorneys General Gena Feist and Laura Mumm led this matter with support from Data Security Analyst Nishaant Goswamy and others under supervision within the Bureau of Internet and Technology.