New York authorities have fined two auto insurance companies nearly $12 million for failing to prevent data breaches that compromised the personal information of 120,000 residents and resulted in fraud.
Government Employees Insurance Company (GEICO) and Travelers Indemnity Company will pay $11.3 million for failing to prevent and adequately respond to the cyber attacks.
The resulting data breaches allowed hackers to steal the sensitive personal information of 120,000 New York residents, including driver’s license numbers, and make fraudulent employment claims.
GEICO will pay $9.75 million, while Traveler will foot the remaining $1.55 million. As part of the settlement agreement, the companies must also implement robust security measures.
GEICO and Traveler data breaches impacted 120,000 New York residents
In November 2020, GEICO suffered a data breach that impacted its auto insurance quoting tool, allowing attackers to exfiltrate sensitive personal information from a public-facing website.
The New York State Department of Financial Services (DFS) notified the auto insurance company, which, despite experiencing separate data breaches, “failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks.”
GEICO data breaches affected 116,000 New York residents and leaked sensitive details, including driver’s license numbers.
In April 2021, Traveler also experienced a data breach and received numerous alerts that attackers were accessing customers’ driver’s license numbers by exploiting its insurance quoting tools and generating reports.
The attackers used compromised credentials to breach the company’s insurance agent portal, which was not protected using multifactor authentication. Traveler did not detect the cyber intrusion for seven months until a third-party prefill data provider alerted the company.
The Traveler data breach impacted 4,000 New York residents, bringing the total number of victims from both auto insurance companies to 120,000. Fraudsters used the stolen data to make fraudulent unemployment claims during the COVID-19 pandemic.
Announcing the settlement, New York Attorney General Letitia James said the auto insurance companies had evidently “failed to protect consumers’ personal information.”
“The settlements with Geico and Travelers highlight how cybersecurity lapses can lead to real-world consequences for both organizations and the individuals whose data they are entrusted to protect,” said Anne Cutler, Cybersecurity Evangelist at Keeper Security. “In both instances, attackers exploited known weaknesses – whether through the lack of Multi-Factor Authentication (MFA) or vulnerabilities in quoting tools – resulting in breaches that could have been mitigated with relatively standard security measures.”
Auto insurance companies required to enhance cybersecurity
Besides the financial penalty, New York authorities require the impacted auto insurance companies to implement robust cybersecurity measures to prevent similar data breaches in the future.
The recommended list of actions includes maintaining a comprehensive information security program to ensure data security, confidentiality, and integrity.
Similarly, the impacted auto insurance companies should maintain data inventory, reasonable authentication procedures, logging and monitoring systems, and an operational threat response.
“Basic practices such as password management, MFA, encrypting sensitive information, and deploying a threat detection system are essential,” added Cutler. “Routine patch management, frequent security audits and ongoing employee training further reduce vulnerabilities.”
She also advised companies to consider “a zero-trust framework and Privileged Access Management (PAM)” to limit the impact of data breaches, prevent lateral movement, and enhance their overall security posture.
GEICO has agreed to implement remedial security measures, including conducting a comprehensive cybersecurity risk assessment, pen-testing, and developing an action plan to address security concerns.
Similarly, Travelers agreed to review its systems, assess access controls, and improve protections against unauthorized access to NPI (nonpublic personal information).
Attorney General James warned that data breaches involving sensitive personal information could lead to serious fraud. She insisted that companies entrusted with sensitive customer data must take “cybersecurity and data protection seriously.”
DFS Superintendent Adrienne A. Harris also praised the enforcement action. She reiterated that companies entrusted with consumer financial information like GEICO and Travelers should “uphold their duty to implement robust measures that shield … from potential data breaches and [other] cyber threats.”
However, Venky Raju, Field CTO at ColorTokens, disapproved of the moderate fines the impacted auto insurance companies should pay.
“The fines paid out by breached businesses in the recent months has been in the range of $10-100 per consumer, with the individual user getting, at best, free credit monitoring for a year,” noted Raju. “It will take more significant per-user penalties for businesses to prioritize cybersecurity investments for data breach prevention and reporting.”
