Attorney General James and DFS Superintendent Harris Secure $11.3 Million from Auto Insurance Companies over Data Breaches

NEW YORK - New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris today secured $11.3 million in penalties from two auto insurance companies, the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers), for having poor data security which led to the personal information of more than 120,000 New Yorkers being compromised. These events were part of an industry-wide campaign by hackers to steal consumers' personal information, including driver's license numbers and dates of birth, from online automobile insurance quoting applications, including those used by GEICO and Travelers. The hackers then used some of the stolen driver's license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic. The OAG investigation concluded that the auto insurance companies did not implement sufficient data security controls to protect consumers' private information. The DFS investigation concluded that the auto insurance companies did not comply with DFS's cybersecurity regulation that requires them to implement policies, procedures, and controls designed to protect consumer data and the financial institutions themselves. As a result of today's settlements, GEICO will pay $9.75 million in penalties and Travelers will pay $1.55 million.

"GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers' personal information," said Attorney General James. "Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously. I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumers."

"DFS's groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions," said Superintendent Harris. "These enforcement actions reinforce the Department's commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats. I thank the Attorney General's office for their coordination during these investigations."

Starting in November 2020, GEICO experienced a series of cyberattacks on its auto insurance quoting tools. Hackers were able to obtain New Yorkers' driver's license numbers from GEICO's publicly-facing website because GEICO failed to protect this information on the website's back end. Despite being notified by DFS of an industry-wide cyberattack campaign to obtain driver's license numbers, and suffering, disclosing, and remediating separate cybersecurity incidents, GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks. After GEICO remediated its website vulnerabilities, hackers exploited vulnerabilities in GEICO's insurance agents' quoting tool, a separate platform from the consumer-facing insurance quotes website. The personal information of approximately 116,000 New York residents was exposed in the GEICO cyberattacks, with the vast majority being lifted from GEICO's insurance agents' quoting tool. Some of the exposed data was later used to file unemployment claims during the COVID-19 pandemic. 

Travelers experienced a cyberattack on its auto insurance quoting tool for independent agents. Between January and April 2021, Travelers received several industry alerts warning that hackers were obtaining driver's license numbers through insurance quoting tools. In April 2021, hackers gained access to Travelers' agent portal through the use of compromised agent credentials, which allowed users to generate reports that included consumers' full driver's license numbers in plain text. The insurance agent portal was password protected but did not use multifactor authentication or any other compensating controls, making it easier to exploit. Travelers did not detect the breach of its agent portal for more than seven months and was alerted to the attack by a third-party prefill data provider. The Travelers attack exposed the personal information of approximately 4,000 New Yorkers.

Today's agreements require GEICO and Travelers to significantly enhance their security and pay penalties to the state. GEICO will pay $9,750,000 in penalties, of which OAG secured $4,750,000 and DFS secured $5 million. Travelers will pay $1,550,000 in penalties, of which OAG secured $350,000 and DFS secured $1,200,000.

In addition to the penalties, the OAG settlement agreement requires the companies to adopt a series of measures aimed at strengthening their cybersecurity practices going forward, including:

• Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
• Developing and maintaining a data inventory of private information and ensuring the information is protected by safeguards;
• Maintaining reasonable authentication procedures for access to private information;
• Maintaining a logging and monitoring system, as well as reasonable policies and procedures designed to properly configure such system to alert on suspicious activity; and    
• Enhancing their threat response procedures.   

As part of this settlement with DFS, Geico agreed to conduct remedial measures, including a comprehensive cybersecurity risk assessment and penetration testing, and the development of an action plan to address any resulting concerns. Travelers agreed to review its systems, assess access controls, and improve protections against unauthorized access to NPI (nonpublic personal information).

Since the implementation of the Cybersecurity Regulation and under Superintendent Harris, DFS has entered into consent orders with 12 entities for violations resulting in over 100 million in fines for New York State. DFS's Cybersecurity Regulation became effective in March 2017, with an updated amendment effective as of November 2023 designed to enhance cyber governance, mitigate risks, and strengthen protections for New York businesses and consumers against cyber threats. It has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the CSBS Nonbank Model Data Security Law.

Attorney General James thanks the New York State Department of Labor's Office of Special Investigations for their work on this matter. 

Attorney General James has taken several actions to hold companies accountable for having poor cybersecurity and to improve data security practices. In October 2024, Attorney General James secured $2.25 million from a Capital Region health care provider for failing to protect the private information and medical data of New Yorkers. In August 2024, Attorney General James and a multistate coalition secured $4.5 from a biotech company for failing to protect patient data. In July, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. In July, Attorney General James also issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach. In April 2023, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In January 2022, Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumers.

Read the DFS GEICO and Travelers consent orders.

###