New York’s Attorney General Letitia James hit two auto insurance companies, including Geico, with a fine topping $11 million over customer data leaks.
In an announcement Monday, James and the New York State Department of Financial Services said some 120,000 New Yorkers had seen their data compromised by the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers).
Among the unsecured information was driver’s license numbers, dates of birth and insurance quotes.
“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” Attorney General James said in a press release.
“Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”
GEICO (Government Employees Insurance Company) office in Buffalo, NY, USA, pictured July 2022. Inset: New York Attorney General Letitia James, who announced a settlement with Geico and The Travelers Indemnity Company over cyber attacks on Monday, November 25, 2024.
Getty Images/AP Photo
According to the announcement, a series of cyber-attacks were reported at Geico, starting in November 2020. Security flaws in the company’s website meant hackers were able to obtain driver’s license numbers.
The Attorney General’s office said that despite being told by DFS about industry-wide attacks, Geico failed to conduct a comprehensive review of its systems to make sure data could not be stolen again.
Hackers then targeted the company’s insurance agents’ quoting tool, which is a separate website, and took the information of around 116,000 people in the state, some of which was then used to file unemployment claims during the COVID-19 pandemic.
At Travelers, between January and April 2021, several alerts came in warning of hackers trying to steal drivers’ data. This then happened during April 2021, with cyber criminals using compromised agent details to generate reports and obtain customer information, but this went unnoticed for seven months.
James and the DFS announcement stated that Geico would have to pay $9.75 million in penalties, while Travelers would have to pay $1.5 million.
The agreement also required both companies to adopt new measures to strengthen cyber security, including ramping up safeguards on sensitive information and enhancing threat response procedures.
“DFS’s groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions,” Superintendent Adrienne Harris said in the press release.
“These enforcement actions reinforce the Department’s commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats.”
A spokesperson for Geico told Newsweek via email that the company was “pleased to have resolved this matter”.
“When this issue was identified, GEICO self-reported it to New York State officials and the company made improvements to its systems to prevent additional exploitation by these fraudsters,” the spokesperson said. “GEICO takes data security very seriously and has since committed significant resources to further strengthen its cybersecurity program.”
Travelers told Newsweek that a limited number of independent agents were affected.
“Protecting the information of all our stakeholders is a top priority, and we will continue to partner with our independent agents to prevent similar incidents in the future,” a spokesperson said via email. “It is important to note that Travelers’ internal systems were not impacted by this incident.”
Update 11/25/24 1:30 p.m. ET: This article was updated with comment from Travelers.
This post was originally published on here
