New York fines Geico, Travelers $11.3M for pandemic-era breaches

Dive Brief:

Geico and Travelers were fined a combined $11.3 million for poor data security practices that allowed hackers to steal personal data on 120,000 people, New York officials said Monday.
New York Attorney General Letitia James and New York State Department of Financial Services Superintendent Adrienne Harris issued penalties against the auto insurance companies for failing to protect customers’ private information. The settlement calls for Geico to pay a total fine of $9.75 million and Travelers will pay $1.55 million.
“Geico and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” James said in a statement. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”

Dive Insight:

The penalties stem from a series of cyberattacks targeting Geico’s auto insurance quoting tools in late 2020 and an attack on a similar Travelers tool early 2021.

New York officials allege Geico failed to protect prospective customers’ driver’s license numbers on its internal systems. Attackers exploited vulnerabilities in Geico’s insurance agent’s quoting tool and ultimately stole personal information of 116,000 New York residents, the state officials said.

Hackers used compromised credentials in April 2021 to access Travelers’ agent portal, which was not protected by multifactor authentication. The breach went undetected for more than seven months, according to state officials, and resulted in the theft of personal information on about 4,000 New York residents.

The attackers used some of the stolen driver’s license numbers to file fraudulent unemployment claims during the COVID-19 pandemic, New York state officials said.

Geico and Travelers, as part of the settlement, agreed to strengthen their cybersecurity practices by maintaining logs, safeguarding private information with authentication and enhancing threat response procedures.

“Protecting the information of all our stakeholders is a top priority, and we will continue to partner with our independent agents to prevent similar incidents in the future,” a Travelers spokesperson said.

Travelers’ internal systems were not impacted by this incident, the spokesperson added. Geico said it is also working to prevent future attacks.

“When this issue was identified, Geico self-reported it to New York state officials and the company made improvements to its systems to prevent additional exploitation by these fraudsters,” a Geico spokesperson said. “Geico takes data security very seriously and has since committed significant resources to further strengthen its cybersecurity program.”