Weeks after New York State announced new cyber regulations, the state’s Attorney General Letitia James has filed suit over breaches suffered by car insurer National General, now owned by Allstate Insurance.
“Emboldened Hackers”
“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” said James in press release. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen. It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft, and my office will always hold those who fail to do so accountable.”

The lawsuit stems from data breaches in 2020 and 2021 that involved National General’s car insurance quoting sites exposing the driver’s license numbers (DLNs) of over 165,000 New Yorkers. New York State seeks penalties for the National General’s violation of cyber regulations, including failing to secure its systems and then notify customers after the breaches. The State is also requesting an injunction against the company to prevent further incidents.
Breach Was Part of a Covid Scam?

Not included in some media reports on the lawsuit is a possible motive for the hack, revealed in the full text of the lawsuit. Hackers were stealing DLNs from auto insurance companies to “submit fraudulent claims for pandemic and unemployment benefits,” according to the suit.
Allstate: We’ve Already Fixed the Problem
Allstate told the media the issue had been resolved years ago, saying it had fixed the insurance quoting system that revealed DLNs and “promptly notified regulators, contacted potentially affected consumers, and offered free credit monitoring as a precaution.”
Related: New York State warns insurers against using AI that could “perpetuate or amplify systemic biases that have resulted in unlawful or unfair discrimination.”
Other News relating to cybersecurity laws and regulations: New York State Announces New Cyber Regulations; Exempts Itself(Opens in a new browser tab)