Geico & Travelers Fined $11.3 Million After Data Breaches Expose Sensitive New Yorker Information

New York Attorney General Letitia James and Department of Financial Services (DFS) Superintendent Adrienne Harris have secured $11.3 million in penalties from GEICO and Travelers Insurance. The auto insurers were found to have inadequate data protections, leading to breaches that exposed the personal information of over 120,000 New Yorkers, with some of that data later used to commit unemployment fraud during the COVID-19 pandemic.

GEICO and Travelers fell victim to targeted cyberattacks aimed at exploiting vulnerabilities in their insurance quoting systems. Hackers were able to steal driver’s license numbers and other sensitive data, leaving many New Yorkers exposed to financial harm.

GEICO, hit with the larger fine of $9.75 million, experienced multiple breaches beginning in late 2020. Despite industry warnings about a surge in cyberattacks, GEICO failed to take adequate precautions. Hackers gained access through the company’s public website and later through vulnerabilities in its agents’ quoting tools. In total, about 116,000 New Yorkers had their personal information compromised.

Travelers, penalized $1.55 million, suffered a breach in early 2021 when attackers exploited weaknesses in its agent portal. Shockingly, it took Travelers more than seven months to detect the intrusion, even after multiple warnings from industry sources. The hackers managed to access driver’s license numbers stored in plain text, a glaring oversight in today’s cybersecurity landscape.

Accountability for Weak Cybersecurity

Investigators from DFS and the Office of the Attorney General (OAG) found both companies failed to meet the requirements of New York’s pioneering Cybersecurity Regulation. This framework, in place since 2017, mandates strict controls to protect sensitive data.

DFS Superintendent Adrienne Harris didn’t mince words in describing the gravity of these failures:
“DFS’s Cybersecurity Regulation sets a critical standard for protecting consumer data and ensuring the resilience of financial institutions. These enforcement actions demonstrate our commitment to holding companies accountable when they fall short.”

Attorney General Letitia James also stressed the importance of consumer trust, “GEICO and Travelers promise to protect their customers in times of crisis, yet they failed to protect the most basic information. Data breaches can devastate lives, and companies must take their cybersecurity obligations seriously.”

As part of the settlements, both insurers are required to overhaul their cybersecurity practices:

• GEICO will conduct a top-to-bottom cybersecurity risk assessment, strengthen its testing protocols, and implement an action plan to close identified gaps.
• Travelers will review access controls, improve its defenses against unauthorized access, and enhance overall protections for sensitive data.

Additionally, both companies agreed to adopt comprehensive security measures, including improved monitoring systems, stricter authentication protocols, and better protection for private information.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.