New York fines GEICO and Travelers $11.3 million in data breach cases
The Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company on Nov. 25 agreed to pay $11.3 million in fines for having poor data security that led to the compromise of the personal information of more than 120,000 New York residents.
GEICO will pay $9.75 million in penalties in a case that affected 116,000 New Yorkers, while Travelers agreed to pay $1.55 million for not protecting the sensitive information of 4,000 state residents.
The fines were part of a settlement reached by New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris.
According to Attorney General James, the events surrounding the two auto insurance companies were part of an industrywide campaign by hackers to steal the personal information of consumers, including driver’s licenses numbers and dates of birth from the online auto insurance quoting apps managed by GEICO and Travelers. The GEICO hack started in November 2020, while the height of the attack on Travelers ran from January to April 2021.
In the GEICO case, despite notifications from DFS of the cyberattacks, the state claimed that GEICO failed to respond and implement appropriate security controls. The hackers then used the driver’s license information to file fraudulent unemployment claims during the COVID-19 pandemic. Travelers did not detect the breach of its agent portal for more than seven months and was alerted to the attack by a third-party prefill data provider.
