CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

New York Fines Geico and Travelers $11 Million Over Data Breaches

New York has announced $11 million settlements with Geico and Travelers over data breaches affecting 120,000 people.

Auto insurance companies Geico and Travelers were fined $11 million in New York over data breaches that impacted the personal information of over 120,000 individuals.

The insurance quoting tools of Government Employees Insurance Company (Geico) were targeted in several cyberattacks starting November 2020, leading to the compromise of a public-facing website’s backend and the theft of driver’s license numbers.

Geico was notified several times of an industry-wide hacking campaign aimed at information theft from online automobile insurance quoting applications and responded to separate incidents, but did not take the necessary measures to protect its systems.

Vulnerabilities in the company’s website and insurance agents’ quoting tool eventually led to attackers compromising the personal information of approximately 116,000 New York residents.

According to the New York Attorney General and the New York State Department of Financial Services (DFS), some of the stolen information was used to file unemployment claims during the COVID-19 pandemic.

The Travelers Indemnity Company (Travelers) fell victim to an attack on its insurance agent portal in April 2021, after receiving several alerts on the hacking campaign.

The attackers used stolen credentials to access Travelers’ insurance agent portal, which did not have multi-factor authentication (MFA) enabled, and generated reports that included driver’s license numbers in plain text.

Approximately 4,000 New York residents were impacted and Travelers did not discover the data breach until seven months later, when a third-party prefill data provider notified it.

Advertisement. Scroll to continue reading.

Investigations conducted by the New York OAG and DFS concluded that the two companies did not implement security controls to protect customers’ information and did not comply with regulations requiring them to properly protect that information.

On Monday, the New York OAG and DFS announced a $9.75 million settlement (PDF) with Geico and a $1.55 million settlement (PDF) with Travelers.

The two auto insurance companies agreed to review and improve their cybersecurity practices through comprehensive information security programs, data inventories, reasonable authentication procedures, logging and monitoring systems, and improved threat response procedures.

Related: Collapse of National Security Elites’ Cyber Firm Leaves Bitter Wake

Related: Texas Department of Insurance Exposed Data of 1.8 Million People

Related: British Council Student Data Found in Unprotected Database

Related: Data on California Prisons’ Visitors, Staff, Inmates Exposed

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.