Home » New York fines GEICO, Travelers $11.3M over cybersecurity failures

New York fines GEICO, Travelers $11.3M over cybersecurity failures

New York has imposed $11.3 million in fines on auto insurers GEICO and Travelers for cybersecurity failures that exposed the personal information of an estimated 120,000 customers, including sensitive data like driver’s license numbers.  

img_1402-1.jpg

New York has imposed $11.3 million in fines on auto insurers GEICO and Travelers for cybersecurity failures that exposed the personal information of an estimated 120,000 customers, including sensitive data like driver’s license numbers.  

The settlements, announced by New York Attorney General Letitia James and State Department of Financial Services (DFS) Superintendent Adrienne A. Harris, include $9.75 million from GEICO and $1.55 million from Travelers. The breaches were part of a broader industry campaign by hackers targeting online insurance quoting systems during the COVID-19 pandemic.  

“GEICO and Travelers failed to protect their customers’ personal information, leaving tens of thousands of New Yorkers exposed to fraud and identity theft,” said Attorney General James. “This settlement holds these companies accountable and ensures they take the necessary steps to prevent future breaches.”  

Also Read: North Korea dismantles south-built power lines, escalates border tensions

The DFS investigation found that GEICO’s vulnerabilities dated back to November 2020, when hackers exploited flaws in its public quoting tools and agents’ systems, exposing the data of approximately 116,000 New Yorkers. “Despite being notified by DFS of an industry-wide cyberattack campaign…GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks,” the DFS consent order stated.  

Hackers used the stolen information, including driver’s license numbers, to file fraudulent unemployment claims at the height of the pandemic. The breach prompted DFS to mandate a thorough review of GEICO’s systems, which revealed inadequate protections on both consumer-facing and agent portals.  

Travelers faced criticism for failing to detect a breach on its agent portal for over seven months. In April 2021, hackers accessed the portal using compromised credentials and extracted full driver’s license numbers in plain text. The breach, which affected approximately 4,000 New Yorkers, occurred despite industry alerts warning of such vulnerabilities. DFS noted that the portal lacked basic safeguards, including multifactor authentication.  

“Consumers trust insurance companies with highly sensitive personal information,” said DFS Superintendent Harris. “GEICO and Travelers failed to meet the required cybersecurity standards, and we will continue to hold companies accountable to protect consumers.”  

In addition to the financial penalties, both companies agreed to strengthen their cybersecurity measures. GEICO committed to conducting a comprehensive risk assessment, penetration testing, and developing an action plan to address vulnerabilities. Travelers will enhance access controls, implement stronger protections against unauthorized access, and evaluate its cybersecurity protocols.  

These settlements underscore the increasing regulatory focus on holding companies accountable for data protection failures, with New York’s DFS leading efforts to enforce cybersecurity compliance across industries.

About The Author

Copyright © All rights reserved.