New York Attorney General Letitia James has filed a lawsuit against insurance giant Allstate for allegedly concealing and failing to prevent data breaches that leaked sensitive personal information.
“Attorney General James is seeking penalties for National General’s failure to institute reasonable data security safeguards and notify consumers, and an injunction to stop any continued violations,” the New York Office of the Attorney General stated.
The first Allstate data breach occurred between August and November 2020 and was closely followed by a much larger breach affecting its subsidiary National General in January 2021 which it acquired in the same month for about $4 billion.
New York sues Allstate over data breaches
New York accuses Allstate of violating the Stop Hacks and Improve Electronic Data Security Act for failing to prevent the two data breaches. Allstate also stands accused of contravening consumer protection laws by misleading the public about its data protection practices.
The lawsuit also alleges that Allstate subsidiary National General failed to notify 12,000 individuals, including 9,100 New Yorkers, that a two-month-long data breach had exposed their driver’s license numbers.
Three months later, another massive cyber attack targeted National General’s insurance quoting tool for independent agents, exposing the driver’s license numbers of 187,000 people, including 155,000 New Yorkers.
“National General’s data security failures continued after The Allstate Corporation acquired National General and Allstate took control of National General’s data security function” AOG noted.
Subsequently, the Empire State alleges that Allstate’s poor cybersecurity practices enabled malicious actors to access victims’ data twice in a row. It also faulted the insurance giant for failing to notify impacted individuals promptly, leaving them exposed to various forms of cyber attacks.
“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” New York Attorney General Letitia James said. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen.”
New York prosecutors also allege that Allstate stored the exposed driver’s license numbers in plaintext format, a practice that National General continued even after the second data breach.
Subsequently, the Empire State prosecutors seek a $5,000 fine for every violation and other remedies, which could include implementing a raft of cybersecurity measures to prevent future data breaches.
However, Allstate claimed it resolved the issue after discovering security vulnerabilities in its quoting tool, notified impacted individuals, and alerted relevant authorities.
Insurance companies facing lawsuits
Meanwhile, the Allstate lawsuit is another attempt by the state of New York to hold insurance companies responsible for their alleged failure to prevent data breaches.
In November 2024, the Empire State fined GEICO and Travelers $9.75 million and $1.55 million, respectively, over data breaches that exposed driver’s license numbers in 2020 and 2021.
Allstate also faces a regulatory action in Texas after the Lone Star state Attorney General Ken Paxton sued the insurance giant and its subsidiary Arity for collecting, using, and selling the personal data of 45 million people.
According to the New York Attorney General, data breaches affecting National General and other insurance companies were “part of a growing fraud campaign targeting pandemic and unemployment benefits.”
“Unfortunately, it seems that the amount of data around each person that is being lost in these breaches continues to grow, so it’s no longer just a name, address, and maybe a credit card number or phone number, but now a lot more personal information is included,” lamented Erich Kron, a security awareness advocate at cybersecurity company KnowBe4. “Insurance organizations are well known for collecting and using credit information to influence rates, and to check credit they need to collect some rather sensitive data such as Social Security numbers.”
“In addition, insurers are asking customers to install telemetry devices in their vehicles, or through their phone apps, to track their location, speed, time of driving, braking and acceleration data, and a laundry list of other bits of data that most people would probably prefer remains private,” added Kron.
