Two auto insurance giants, GEICO and The Travelers Indemnity Company, have been hit with $11.3 million in fines for lapses in data security that left the personal details of thousands of New Yorkers vulnerable to hackers. The investigations by Attorney General Letitia James and the state's Department of Financial Services (DFS) Superintendent Adrienne A. Harris unveiled poor data safeguards at both companies, with over 120,000 New Yorkers affected by the breaches that date back to 2020, as the New York Attorney General's office announced yesterday.
GEICO was fined $9.75 million and Travelers $1.55 million for failing to secure personal data during cyberattacks that exposed drivers' license numbers and birthdates. Hackers used this information to fraudulently claim unemployment benefits during the COVID-19 pandemic. Both companies were warned about industry-wide cyberattacks targeting online insurance tools but failed to strengthen their security. GEICO was specifically criticized for not fully reviewing its systems after a previous security breach, which allowed hackers to access data through an agent's quoting tool, separate from the consumer website.
Hackers exploited an unsecured agent portal at Travelers, which lacked multifactor authentication, allowing them to steal full driver's license numbers. The breach went undetected for over seven months until a third party alerted the company. Following the settlements, both GEICO and Travelers must implement stronger security measures, including improved authentication and a comprehensive information security program, to protect New Yorkers from future data breaches and cyber threats, as stated by Attorney General James.
The fines and security measures are part of the Attorney General's broader effort to improve cybersecurity across industries, especially for businesses handling sensitive consumer financial data. The OAG and DFS have previously imposed penalties on a healthcare provider and a biotech company for similar issues. Attorney General James has emphasized the importance of data protection and has issued guides to help businesses secure their systems and prevent breaches, a message reinforced by the recent insurance company settlements.
With fines imposed and remediation plans underway, data privacy is becoming a key focus in New York’s public policy, driven by the rise in data breaches across industries. The resulting settlements and new directives may raise cybersecurity standards, reducing breaches and strengthening consumer trust in digital transactions.
