Geico and Travelers Fined $11.3 Million For Data Breaches

New York Attorney General Letitia James and the New York State Department of Financial Services (DFS) announced they are hitting two auto insurers, Geico and Travelers Indemnity, with $11.3 million in fines over poor security practices that enabled data breaches. 

The data breaches, which occurred in 2020 and 2021, led to the personal data of more than 120,000 New Yorkers being compromised, including driver’s license numbers and dates of birth. The attackers then used this stolen information to file fraudulent unemployment claims during the COVID-19 pandemic.

“The OAG investigation concluded that the auto insurance companies did not implement sufficient data security controls to protect consumers’ private information,” according to the Office of the New York State Attorney General’s Monday press release. “The DFS investigation concluded that the auto insurance companies did not comply with DFS’s cybersecurity regulation that requires them to implement policies, procedures, and controls designed to protect consumer data and the financial institutions themselves.”

Key Details:

• In November 2020, threat actors targeted Geico in a number of cyberattacks, including exploiting vulnerabilities in its insurance agents’ quoting tool, and gathering New Yorker driver’s license numbers from a public-facing website

• The personal data of 116,000 New York residents was exposed in these attacks, and most of that data was lifted from the insurance agent’s quoting tool 

• In April 2021, threat actors accessed Travelers’ insurance agent portal using compromised credentials, allowing them to see consumer full driver’s license numbers in plain text

• Around 4,000 New Yorkers had their personal information exposed through the Travelers cyberattack

Why It Matters: As we’ve seen with settlements with T-Mobile and others, companies are being hit with penalties related to security incidents, whether it’s how they handled a security breach or a lack of security protections in place leading up to the attacks. In Geico’s case, while the company was notified of industry-wide cyberattacks aimed at obtaining driver’s licenses and remediating several separate attacks, it still “failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks,” alleged the DFS. Travelers also received several industry alerts warning about attacks on insurance quoting tools, but the Travelers insurance agent portal that threat actors eventually targeted did not have multi-factor authentication enabled. Furthermore, Travelers did not detect the breach for more than seven months, until it was alerted by a third-party prefill data provider, the DFS said.

In addition to the fines ($9.7 million against Geico and $1.5 million against Travelers), both companies will be required to adopt a number of security measures for strengthening their practices moving forward. That means that they will need to maintain a more robust security program, make sure private data is better protected, ensure that authentication and logging policies are fully in place and improve their threat response procedures. 

Additionally, “as part of this settlement with DFS, GEICO agreed to conduct remedial measures, including a comprehensive cybersecurity risk assessment and penetration testing, and the development of an action plan to address any resulting concerns,” according to the DFS. Travelers agreed to review its systems, assess access controls, and improve protections against unauthorized access to NPI (nonpublic personal information).”