Suit contends they failed to protect New Yorkers’ personal information New York Attorney General (NYAG) Letitia James on March 10 filed a lawsuit against several insurance companies doing business as National General and Allstate Insurance Company (NYSE: ALL) for failing to protect New Yorkers’ personal information […]
Suit contends they failed to protect New Yorkers’ personal information
New York Attorney General (NYAG) Letitia James on March 10 filed a lawsuit against several insurance companies doing business as National General and Allstate Insurance Company (NYSE: ALL) for failing to protect New Yorkers’ personal information from cyberattacks.
In 2020 and 2021, National General suffered a pair of back-to-back data breaches that exposed the driver’s license numbers of more than 165,000 New Yorkers.
The Office of the Attorney General (OAG) alleges that following the first breach, National General failed to notify impacted consumers and neglected to determine whether sensitive information was exposed elsewhere in its system, which allowed for a second, larger breach to occur months later.
James alleges the two breaches were a result of National General’s failure to implement reasonable data-security measures, both before and after Allstate assumed control of its data-security operations. James is seeking penalties for National General’s failure to institute reasonable data-security safeguards and notify consumers, and an injunction to stop any continued violations.
“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” James said in the announcement. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen. It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft, and my office will always hold those who fail to do so accountable.”
In a statement to Reuters, Allstate reacted to the announcement and defended its breach response.
“We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed drivers’ license numbers,” the company said. “We promptly notified regulators, contacted potentially affected consumers and offered free credit monitoring as a precaution.”
Case background
In 2020, attackers began targeting National General’s online quoting websites, which provide consumers with instant auto-insurance quotes, James’ office explained.
These websites were designed to automatically display consumers’ full driver’s-license numbers in plain text with minimal input, a “flaw that bad actors were able to take advantage of” to access consumers’ private information.
The first breach, which affected two public-facing websites, exposed the driver’s-license numbers of nearly 12,000 individuals, including more than 9,100 New Yorkers. Due to “inadequate” monitoring and the websites’ “lack of protections” against automated attacks, National General “failed to detect” the breach for two months.
Upon discovering the breach, James’ office said National General failed to alert the consumers whose data was exposed or notify the appropriate state agencies. The company also continued to leave driver’s-license numbers exposed on a separate quoting website for independent insurance agents, which was also “weakly protected.”
Attackers then targeted this system in a second, far larger breach, which National General detected in February 2021. This attack compromised the personal information of an additional 187,000 consumers, including the driver’s-license numbers of roughly 155,000 New Yorkers.
National General’s data-security failures continued after The Allstate Corporation acquired National General and Allstate took control of National General’s data security function, James’ office said.
Driver’s-license numbers are valuable to cyber-criminals and can be used to commit various forms of fraud, including identity theft and government-benefits fraud. Under New York law, companies that own or license New Yorkers’ private data must take appropriate steps to secure it.
James alleges that National General “violated” state consumer protection and business laws by “failing to secure sensitive information, misrepresenting its data security practices to customers and consumers, and failing to notify affected consumers of the initial breach,” per the March 10 announcement.
