Insurance Companies Fined for Data Breaches

The state of New York fined two major insurance companies for poor cybersecurity that failed to prevent data breaches. Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne Harris announced a $9.75 million penalty for GEICO and a $1.55 million penalty for Travelers. The two companies experienced data breaches that compromised the personal information of more than 120,000 New Yorkers. The breaches were part of a hacking effort that targeted insurance companies. The hackers collected driver’s license numbers and dates of birth and used the information to file fraudulent unemployment claims during the COVID-19 pandemic.

After an investigation, the Office of the Attorney General (OAG) determined that the companies did not implement sufficient data security controls to protect consumers’ private information. A DFS investigation concluded that Geico and Travelers did not comply with DFS’s cybersecurity regulation that requires businesses to implement policies, procedures, and controls to protect consumer data and the financial institutions themselves.

Geico Data Breach

In 2020, GEICO began experiencing a series of cyberattacks targeting its auto insurance quoting tools. Hackers got driver’s license numbers from GEICO’s publicly-facing website due to the alleged failure to protect the website’s back end. Despite being notified by DFS of an industry-wide cyberattack campaign to obtain driver’s license numbers, GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks. After GEICO remediated its website vulnerabilities, hackers attacked GEICO’s insurance agents’ quoting tool, a separate platform from the consumer-facing insurance quotes website. The personal information of approximately 116,000 New York residents was exposed in the GEICO cyberattacks, the majority from GEICO’s insurance agents’ quoting tool.

Travelers Data Breach

Between January and April 2021, Travelers received several warnings that hackers were obtaining driver’s license numbers through insurance quoting tools. In April 2021, hackers used compromised agent credentials to access Travelers’ agent portal that can be used to generate reports that included consumers’ full driver’s license numbers. The insurance agent portal was password protected but did not use multifactor authentication or any other compensating controls. Travelers did not detect the breach for more than seven months and was alerted to the attack by a third-party prefill data provider. The attack exposed the personal information of approximately 4,000 New Yorkers.

Settlement Agreements

On top of the financial penalties, GEICO and Travelers agreed to take the following actions to improve their cybersecurity practices:

• Maintaining a comprehensive information security program to protect the security, confidentiality, and integrity of private information
• Developing and maintaining a data inventory of private information and ensuring the information is protected by safeguards
• Maintaining reasonable authentication procedures for access to private information
• Maintaining a logging and monitoring system as well as reasonable policies and procedures to properly configure such system to alert on suspicious activity
• Enhancing their threat response procedures

GEICO also agreed to conduct cybersecurity risk assessments and penetration testing and develop an action plan to address any resulting concerns. Travelers also agreed to review its systems, assess access controls, and improve protections against unauthorized access to nonpublic personal information.

These penalties highlight the need for organizations to be aware of the risks from local-level laws like the New York DFS cybersecurity regulations. State-level data privacy laws typically include requirements for safeguarding personal data. Organizations can use security standards like NIST CSF, ISO 27001, or SOC 2 as the framework to build a cybersecurity program that will protect data and reduce the risk of penalties.

CompliancePoint has a team of cybersecurity experts that can help your organization design, implement, and manage an effective cybersecurity program. Contact us at connect@compliancepoint.com to learn more about our services.