When GEICO and Travelers were hacked, stealing personal information from over 120,000 New Yorkers. They exploited vulnerabilities in online auto insurance quoting tools to obtain driver’s license numbers and dates of birth. The stolen data was later used to file fraudulent unemployment claims during the peak of the COVID-19 pandemic.
The Geico Travelers Hack
Starting in November 2020, GEICO faced cyberattacks on its auto insurance quoting tools. Hackers accessed driver’s license numbers from GEICO’s publicly-facing website due to weak security measures. Despite warnings of industry-wide attacks, GEICO failed to thoroughly review its systems. After initial fixes, hackers exploited vulnerabilities in GEICO’s insurance agents’ quoting tool, affecting approximately 116,000 New Yorkers.
Between January and April 2021, Travelers experienced a cyberattack on its agent portal. Hackers used compromised agent credentials to generate reports containing driver’s license numbers in plain text. The portal lacked multifactor authentication, making it easier to breach. Travelers did not detect the attack for over seven months and was alerted by a third-party data provider. Around 4,000 New Yorkers were affected.
The Penalties
As a result, New York Attorney General Letitia James and DFS Superintendent Adrienne A. Harris secured $11.3 million in penalties from GEICO and Travelers due to the hacks. GEICO will pay $9.75 million, and Travelers will pay $1.55 million. Investigations concluded that both companies failed to implement sufficient data security controls and did not comply with cybersecurity regulations.
“GEICO and Travelers offer drivers protection during emergencies, but these companies failed to protect consumers’ personal information,” said Attorney General James. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”
Beyond the fines, GEICO and Travelers agreed to enhance their cybersecurity practices.
They will:
- Maintain a comprehensive information security program.
- Develop and maintain a data inventory of private information with safeguards.
- Implement reasonable authentication procedures for access to private information.
- Establish a logging and monitoring system to alert on suspicious activity.
- Enhance threat response procedures.
Both companies will review their cybersecurity measures and implement necessary improvements to prevent unauthorized access to sensitive information.
Other News: Cyber Risk Tops Business Concerns as Threats Surge, Travelers Report Finds(Opens in a new browser tab).
Other News: Starbucks, Other Retailers Hit by Ransomware Attack on Tech Provider
