New York state has fined two major auto insurance companies, Geico and Travelers, a total of $11.3 million for failing to safeguard customers’ driver’s license numbers during a series of cyberattacks in 2021. Geico was hit with a hefty fine of $9.75 million, while Travelers was fined $1.55 million. The investigations revealed that hackers had exploited weaknesses in both companies’ internal systems to access and steal sensitive customer data, including driver’s license numbers, which were transmitted in unencrypted form. These incidents occurred during a period of heightened fraud activity tied to the COVID-19 pandemic, when stolen driver’s licenses were used to file fraudulent unemployment claims.
In the case of Geico, the breach began in January 2021, when hackers used the company’s online tool to obtain quotes and, in doing so, accessed driver’s license numbers that were improperly shared by a third-party provider. After Geico realized the breach, it modified its system, but hackers quickly adapted, exploiting another vulnerability in Geico’s claims system that exposed sensitive data. Between February 24 and March 1, 2021, the breach saw as many as 25,000 customer records stolen per day. The breach continued until the insurer received an extortion demand from the hackers, prompting further investigation and corrective action.
Travelers’ breach was similar, involving the theft of driver’s license numbers through compromised credentials used to access a portal for independent agents. The breach was detected in November 2021, months after the initial attack. Unlike Geico, Travelers emphasized that the breach was limited to stolen credentials from independent agents, with no impact on its internal systems. Nevertheless, the breach highlighted vulnerabilities in the company’s security processes, especially concerning third-party data providers.
Both Geico and Travelers have committed to improving their cybersecurity programs following the penalties. Under consent orders with New York authorities, both companies must enhance their data protection protocols and maintain an inventory of private customer information to prevent future breaches. New York Attorney General Letitia James stressed the importance of data protection, warning that breaches can lead to severe consequences, including fraud. These penalties serve as a stern reminder to businesses about the critical need for robust cybersecurity measures to protect sensitive customer information.
Reference:
