Two major insurance providers in New York confront substantial penalties amid revelations of widespread customer data breaches.
According to a Newsweek report, New York Attorney General Letitia James has imposed fines totaling over $11 million on GEICO and The Travelers Indemnity Company for failing to protect sensitive customer information during multiple cyber attacks.
The security breaches affected approximately 120,000 New York residents, exposing crucial personal data, including driver's license numbers, birth dates, and insurance quotes. These breaches occurred through various system vulnerabilities that both companies failed to address adequately despite receiving early warnings about potential cyber threats.
GEICO's security troubles began in November 2020 when hackers exploited vulnerabilities in the company's website architecture. The breach enabled unauthorized access to driver's license information, creating a significant security risk for customers. Despite being notified about industry-wide attacks by the Department of Financial Services, GEICO did not conduct a thorough system review to prevent future incidents.
The situation worsened when cyber criminals targeted a separate insurance agents' quoting tool, resulting in the theft of information from approximately 116,000 New York residents. This stolen data was subsequently used to file fraudulent unemployment claims during the COVID-19 pandemic, amplifying the impact of the breach.
Travelers experienced similar security failures between January and April 2021. The company received multiple alerts about potential hacking attempts but failed to prevent a successful breach. Hackers used compromised agent credentials to generate reports and access customer information, an intrusion that went undetected for seven months.
Attorney General James has ordered GEICO to pay $9.75 million in penalties, while Travelers must pay $1.5 million. The enforcement action demonstrates the state's commitment to protecting consumer data and holding companies accountable for security lapses.
DFS Superintendent Adrienne Harris emphasized the importance of robust cybersecurity measures, stating:
DFS's groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions. These enforcement actions reinforce the Department's commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats.
Both companies have acknowledged the incidents and expressed their commitment to strengthening security measures. A GEICO spokesperson noted that the company self-reported the breach and has already implemented system improvements.
The settlement requires both insurance providers to implement comprehensive cybersecurity improvements. These enhancements include strengthening safeguards for sensitive information and developing more effective threat response procedures.
Travelers emphasized that the incident only affected a limited number of independent agents, with their internal systems remaining secure. The company has pledged to work closely with independent agents to prevent similar incidents in the future.
New York's Attorney General Letitia James and the Department of Financial Services have levied substantial fines against GEICO and Travelers for failing to protect customer data in multiple cyber attacks between 2020 and 2021. The breaches exposed the sensitive information of approximately 120,000 New York residents.
Both insurance companies must now implement enhanced security protocols while paying combined penalties exceeding $11 million. The settlement aims to strengthen consumer data protection and prevent future security breaches in the insurance industry.
