New York fines Geico and Travelers $11.3m for data breaches

Auto insurers will pay fines totaling $11.3m for data breaches that New York officials say compromised personal information of 120,000 customers.

Insurance giants Geico and Travelers will pay a combined $11.3m in penalties “for having poor data security,” which allowed information on more than 120,000 New Yorkers to be compromised during the COVID-19 pandemic, according to the New York Department of Financial Services (NYDFS) which announced the fine this week.

The settlement follows an investigation by the NYDFS that found the companies had failed to comply with its cybersecurity regulation, and one by the New York State Attorney General that included the allegation of failing to implement proper data security controls as an insurance business.

Geico, which had 116,000 customers from New York exposed in the attacks, will pay most of the penalties, at $9.75m. Travelers, which had 4,000 customers exposed, will pay $1.55m, the NYDFS said. The settled order also requires the insurers to undertake a number of cybersecurity improvements, including better authentication and access logs. 

Reviewing systems to prevent attacks

The attacks were part of a campaign by hackers to steal personal information at the height of the COVID-19 pandemic, the joint statement said, and some of that information was then used to file fraudulent unemployment claims. 

In April 2021, hackers allegedly used stolen credentials to break into Travelers’ insurance agents’ quoting tool, which allowed users to generate reports with driver’s license numbers in plain text. The system wasn’t protected by multifactor authentication, the joint statement said, and the attack went undetected for seven months, leading to data on around 4,000 people being stolen.

By January 2021, Geico instituted a new measure in an effort to mask driver’s license numbers. The company’s cybersecurity team also began a review, searching the dark web for evidence that hackers had been stealing and compiling the numbers. 

“Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”

NY State Attorney General Letitia James

They found cybercriminals discussing breaching Geico’s system and stealing driver’s license numbers. In some instances, hackers were purchasing policies and filing fraudulent claims to gain access to customers’ driver’s licence numbers. Geico discovered that hackers then found another way to get access to the numbers through its Application Programming Interface.

In February 2021, the company reported the incident to the New York Attorney General’s office, but several regulators in New York state warned Geico that its systems were still exposed. 

It took Geico another month to fully address all of the security loopholes being exploited by the hackers. In total, the hackers stole 135,414 driver’s license numbers, about 116,611 of which belong to New York residents, the New York authorities said.

“Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously,” NY State Attorney General Letitia James said in a prepared statement.

Part 500 Rules

NYDFS found that both companies violated its 2017 cybersecurity regulations (23 NYCRR 500 or “Part 500”), which are some of the strictest in the US.

These rules include specific cybersecurity requirements, an annual certification process, incident reporting, and third-party service provider policies and procedures premised on due diligence and risk assessments.

And they set out the implications of non-compliance for covered financial institutions, among other things. The rules were updated in 2023 to cover ransom payments and board oversight of cyber risk management.

The Part 500 rules also require each covered entity to designate a qualified individual responsible for overseeing and implementing the entity’s cybersecurity program and enforcing its cybersecurity policy – a Chief Information Security Officer or CISO.

Cybersecurity remains a high-priority area for federal and state regulators in terms of rulemaking, examinations, and enforcement. And a recent study found that most eCommerce merchants had dealt with cyberattacks or data breaches in the prior year, with 82% of those companies suffering an attack in that time, and 47% saying the breaches caused them to lose both revenue and customers.

Auto insurance firms and data controls

Just to place this case into context: Auto insurance companies have websites that typically provide insurance quotes in real time to potential customers. The sites usually have features that automatically fill in applications after people enter their names or address.

Companies such as Geico and Travelers work with third-party data brokers to provide the information as a way to expedite insurance purchases that automatically pull up a person’s driver’s license number or vehicle identification number, something that person might not have directly on hand. 

The Geico and Travelers settlements come after EyeMed Insurance paid $4.5m in 2022 for Part 500 violations related to weak cybersecurity controls that contributed to the exposure of hundreds of thousands of consumers’ sensitive, non-public, personal health data, including data concerning minors. 

Statements from the companies

“Protecting the information of all our stakeholders is a top priority, and we will continue to partner with our independent agents to prevent similar incidents in the future,” a Travelers spokesperson said.

“When this issue was identified, Geico self-reported it to New York State officials and the company made improvements to its systems to prevent additional exploitation by these fraudsters,” a Geico spokesman said. “Geico takes data security very seriously and has since committed significant resources to further strengthen its cybersecurity program.”