New York Attorney General Letitia James has secured a $14.2 million settlement from eight car insurance companies following a data breach that exposed the personal information of over 825,000 New Yorkers. The breaches were tied to cyberattacks that targeted the companies' online quote systems, allowing hackers to harvest driver’s license numbers and other sensitive data. This stolen information was then used to file fraudulent unemployment claims at the height of the COVID-19 pandemic, reports the Office of the Attorney General (OAG).
The Office of the Attorney General (OAG), together with the New York State Department of Financial Services (DFS), determined that the companies did not adequately enforce data security measures to protect consumer information. Hackers used stolen personal data to commit fraud. The companies provided free credit monitoring to those affected, and the Attorney General's office required improvements to their cybersecurity protocols. The companies involved include American Family Mutual Insurance Company, Farmers Insurance, Hagerty Insurance Agency, The Hartford Insurance Group, Infinity Insurance Company, Liberty Mutual Insurance, Metromile, and State Auto Mutual Insurance Company.
"New Yorkers pay hundreds of dollars in car insurance each month. When they go searching for a cheaper option, they should not have to worry that their private information could be stolen," AG James stated in a press release, emphasizing the responsibility companies have to protect consumer data. The companies now face a series of cybersecurity improvement demands, including the development of a comprehensive security program and maintenance of reasonable authentication procedures for accessing private information.
This action against the car insurance providers is part of over $20 million in similar settlements. Previously, the OAG secured $6.5 million from four other companies for comparable data security issues. The investigations identified vulnerabilities such as the lack of basic security tools, ineffective or missing multifactor authentication, and inadequate threat response procedures, which allowed repeated exploitation of personal data. The finalized settlements require payouts ranging from $815,000 to $2 million.
The investigation leading to these settlements was conducted by a team from the Attorney General’s office, which stated that the measures companies are now required to implement are intended not only to address past issues but also to prevent future breaches.
