Geico, Travelers Fined $11.3M for Lax Data Security

Two auto insurance companies will pay a hefty penalty for what the State of New York says was inadequate security that allowed hackers to compromise personal data of more than 12,000 state residents.

New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris said the $11.3 million fines against Government Employees Insurance Co. (GEICO) and the Travelers Indemnity Co. follows what the state deemed "poor data security" practices that allowed cybercriminals to steal driver license numbers. Worse, at the height of the COVID-19 crisis, they used that info to file fraudulent unemployment claims. Specifically, the insurers were found to have violated a state regulation to "implement policies, procedures, and controls designed to protect consumer data as well as the financial institutions themselves," their statement said.

GEICO has been ordered to pay $9.75 million, and Travelers will pay $1.55 million.

“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers' personal information,” James said. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”

GEICO experienced a November 2020 compromise of its auto insurance quoting tool, allowing threat actors to steal driver license numbers from the company's public-facing website, New York regulators said.

"Despite being notified by DFS of an industry-wide cyberattack campaign to obtain driver's license numbers, and suffering, disclosing, and remediating separate cybersecurity incidents, GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks," the statement continued.

Following that breach, hackers pivoted to exploit a vulnerability in GEICO's quoting tool for insurance agents on a separate platform.

Both cyberattacks against GEICO exposed the personal information of about 116,000 New York residents, most of those leaked in the second compromise, the statement added.

Travelers too was breached through a similar cyberattack against its auto insurance quoting tool, this time a calculator used by independent agents. Despite receiving multiple alerts that threat actors were conducting these types of campaigns, in April 2021, hackers were able to use compromised credentials to generate reports with license numbers in plain text, exposing the data of 4,000 New Yorkers, the statement said.

Besides the penalties, these insurers have agreed to improve their cybersecurity practices including improving protections for private information, conducting a comprehensive data inventory, requiring authentication to access private data, implementing logging and monitoring, and enhancing threat response planning and procedures.

GEICO also agreed to conduct remedial measures, including comprehensive risk assessment and penetration testing, plus developing an action plan to address any resulting issues. Travelers agreed to review its systems, assess its own access controls, and improve protections against unauthorized access to nonpublic personal information, according to the regulators' statement.