NYS fines GEICO, Travelers $11.3 million combined over data breaches

ALBANY — New York State says it will collect fines totaling $11.3 million from two auto-insurance companies for having “poor data security,” which led to the personal information of more than 120,000 New Yorkers “being compromised.” The Government Employees Insurance Company (GEICO) will pay $9.75 million in penalties and The Travelers Indemnity Company (Travelers) (NYSE: TRV) will pay $1.55 million, New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne Harris announced Nov. 25. These events were part of an industry-wide campaign by hackers to steal consumers’ personal information, including driver’s-license numbers and dates of birth, from online automobile insurance quoting applications, including those used by GEICO and Travelers. The hackers then used some of the stolen driver’s-license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic. The Office of Attorney General (OAG) investigation concluded that the auto-insurance companies did not implement “sufficient” data-security controls to protect consumers’ private information. “GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” James said in the announcement. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously. I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumers.” The DFS investigation concluded that the auto insurers did not comply with DFS’s cybersecurity regulation that requires them to implement policies, procedures, and controls designed to protect consumer data and the financial institutions themselves. “DFS’s groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions,” Harris said in the joint announcement. “These enforcement actions reinforce the Department’s commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats. I thank the Attorney General’s office for their coordination during these investigations.” GEICO will pay $9.75 million in penalties, of which OAG secured $4.75 million and DFS secured $5 million. Travelers will pay $1.55 million in penalties, of which OAG secured $350,000 and DFS secured $1.2 million.

Insurance-firm reactions

As part of this settlement with DFS, Chevy Chase, Maryland–based GEICO agreed to conduct remedial measures, including a comprehensive cybersecurity risk assessment and penetration testing, and the development of an action plan to address any resulting concerns. Travelers agreed to review its systems, assess access controls, and improve protections against unauthorized access to NPI (nonpublic personal information). A company spokesperson for New York City–based Travelers forwarded this reaction to CNYBJ. “We’re pleased to have resolved this matter, which involved the stolen credentials of a limited number of independent agents. Protecting the information of all our stakeholders is a top priority, and we will continue to partner with our independent agents to prevent similar incidents in the future. It is important to note that Travelers’ internal systems were not impacted by this incident.” GEICO forwarded this reaction statement to CNYBJ. “GEICO is pleased to have resolved this matter with the New York State Department of Financial Services and the New York State Attorney General. When this issue was identified, GEICO self-reported it to New York State officials and the company made improvements to its systems to prevent additional exploitation by these fraudsters. GEICO takes data security very seriously and has since committed significant resources to further strengthen its cybersecurity program.”

GEICO background

Starting in November 2020, GEICO dealt with a series of cyberattacks on its auto-insurance quoting tools, James’ office said. Hackers were able to obtain New Yorkers’ driver’s-license numbers from GEICO’s publicly facing website because GEICO “failed to protect this information on the website’s back end,” the attorney general contended. Despite DFS notifying the company of an industrywide cyberattack campaign to obtain driver’s-license numbers, and “suffering, disclosing, and remediating” separate cybersecurity incidents, GEICO “failed to conduct a comprehensive review” of its systems to prevent and detect future cyberattacks, according to James. After GEICO remediated its website vulnerabilities, hackers exploited vulnerabilities in GEICO’s insurance agents’ quoting tool, a separate platform from the consumer-facing insurance-quotes website. The personal information of about 116,000 New York residents was exposed in the GEICO cyberattacks, with the vast majority lifted from GEICO’s insurance agents’ quoting tool. Some of the data exposed was later used to file unemployment claims during the COVID-19 pandemic, James’ office noted.

Travelers background

Travelers had a cyberattack on its auto-insurance quoting tool for independent agents. Between January and April 2021, Travelers received several industry alerts warning that hackers were obtaining driver’s-license numbers through insurance-quoting tools. In April 2021, hackers gained access to Travelers’ agent portal through the use of “compromised agent credentials,” which allowed users to generate reports that included consumers’ full driver’s license numbers in plain text. The insurance-agent portal was password protected but did not use multifactor authentication or any other compensating controls, “making it easier to exploit,” per James’ office. Travelers did not detect the breach of its agent portal for more than seven months and was alerted to the attack by a third-party prefill data provider. The Travelers attack exposed the personal information of approximately 4,000 New Yorkers, according to the attorney general.