New York Fines GEICO $9.75M, Travelers $1.5M Over Auto Insurance Cyber Breaches

November 25, 2024

Two auto insurers will pay fines totaling $11.3 million for data breaches of online insurance quoting systems that New York officials say compromised personal information of an estimated 120,000 customers in total.

New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris announced settlements with the Government Employees Insurance Co. (GEICO) for $9.75 million and The Travelers Indemnity Co. for $1.55 million for having “poor data security.”

According to the New York officials, the insurers’ data breaches were part of an industry-wide campaign by hackers to steal consumers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications, including those used by GEICO customers and agents and Travelers agents.

The hackers then used some of the stolen driver’s license information to file fraudulent unemployment claims during the COVID-19 pandemic.

The state attorney general’s investigation concluded that the auto insurance companies did not implement sufficient data security controls and they did not comply with the state DFS cybersecurity regulation that requires insurers to implement policies, procedures, and controls designed to protect consumer data and the financial institutions themselves.

According to the GEICO consent order, starting in November 2020, GEICO experienced a series of cyberattacks on its auto insurance quoting tools. Hackers were able to obtain New Yorkers’ driver’s license numbers from GEICO’s publicly-facing website because officials say GEICO failed to protect this information on the website’s back end. “Despite being notified by DFS of an industry-wide cyberattack campaign to obtain driver’s license numbers, and suffering, disclosing, and remediating separate cybersecurity incidents, GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks,” the consent order maintains.

After GEICO remediated its website vulnerabilities, the consent order says hackers then exploited vulnerabilities in GEICO’s insurance agents’ quoting tool, a separate platform from the consumer-facing insurance quotes website.

The personal information of approximately 116,000 New York residents was exposed in the GEICO cyberattacks, with the vast majority being lifted from GEICO’s insurance agents’ quoting tool. Some of the exposed data was later used to file unemployment claims during the COVID-19 pandemic.

According to the consent order with Travelers, the insurer experienced a cyberattack on its auto insurance quoting tool for independent agents. After Travelers received several industry alerts between January and April 2021 warning that hackers were obtaining driver’s license numbers through insurance quoting tools, hackers gained access to Travelers’ agent portal in April 2021 through the use of compromised agent credentials that allowed users to generate reports that included consumers’ full driver’s license numbers in plain text. The insurance agent portal was password protected but did not use multifactor authentication or any other compensating controls, making it easier to exploit, according to the order. Travelers did not detect the breach of its agent portal for more than seven months and was alerted to the attack by a third-party prefill data provider, according to the consent order. The Travelers attack exposed the personal information of approximately 4,000 New Yorkers., the order maintains.

In addition to the fines. the agreements require GEICO and Travelers to adopt a series of measures aimed at strengthening their cybersecurity practices going forward. GEICO agreed to conduct remedial measures, including a comprehensive cybersecurity risk assessment and penetration testing, and the development of an action plan to address any resulting concerns. Travelers agreed to review its systems, assess access controls, and improve protections against unauthorized access to nonpublic personal information.

New York Updates Financial Services Cybersecurity Regulation to Address AI Risks

Since the implementation of the Cybersecurity Regulation in March 2017, DFS has entered into consent orders with 12 entities for violations resulting in over $100 million in. DFS’s Cybersecurity Regulation was an updated in November 2023. It has served as a model for other regulators, including the Federal Trade Commission, multiple states, and the National Association of Insurance Commissioners.