New York Attorney General Letitia James has initiated legal action against National General and Allstate Insurance Company, citing their failure to protect personal information of New Yorkers from cyberattacks. The lawsuit follows data breaches in 2020 and 2021 that compromised the driver's license numbers of over 165,000 New Yorkers. According to the Office of the Attorney General (OAG), National General did not notify affected consumers after the first breach nor assess whether sensitive data was exposed elsewhere, leading to a second breach.
"National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks," stated Attorney General James. She emphasized that mishandling personal information violates laws requiring companies to safeguard consumer data.
In 2020, cyber attackers exploited vulnerabilities in National General's online quoting websites, which displayed full driver’s license numbers with minimal input. The first breach affected two public-facing sites and exposed nearly 12,000 individuals' details. Due to inadequate monitoring, this breach went undetected for two months.
After discovering the initial breach, National General did not alert consumers or state agencies and left another quoting website vulnerable. This led to a second breach detected in February 2021 that compromised an additional 187,000 individuals' information.
Attorney General James is seeking penalties for these security failures and aims for an injunction against further violations. "It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft," she remarked.
This legal action is part of Attorney General James’ ongoing efforts to hold insurance companies accountable for data security lapses. Previously, her office secured $500,000 from Noblr for a similar incident involving over 80,000 New Yorkers and $11.3 million from GEICO and Travelers Insurance due to poor data security affecting more than 120,000 individuals.
The case is being managed by Assistant Attorneys General Laura Mumm and Alexandra Hiatt among others under supervision within the Bureau of Internet and Technology. Data analysis support was provided by specialists under the Division of Economic Justice led by Chief Deputy Attorney General Chris D’Angelo.