Repairer Driven News
« Back « PREV Article  |  NEXT Article »

New York penalizes GEICO, Travelers $11.3 million for poor data security

By on
Announcements
Share This:

GEICO and Travelers Indemnity Co. have been fined $11.3 million in penalties by the Office of the New York Attorney’s General Office (OAG) and Department of Financial Services (DFS) for poor data security, which led to the personal information of more than 130,000 New Yorkers being compromised, according to a press release

An OAG investigation found that both companies did not implement sufficient data security controls prior to an industry-wide campaign by hackers to steal consumers’ personal information including driver’s license numbers and dates of birth from auto insurance quoting applications, according to the release. It says the hackers used the information to file fraudulent unemployment claims during the COVID-19 pandemic. 

“GEICO and Travelers offer drivers protection during times of emergencies but these companies failed to protect consumers’ personal information,” said Attorney General Letitia James, in the release. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously. I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumers.”

The investigation further discovered that the insurance companies did not comply with DFS’s cybersecurity regulations that require companies to implement policies, procedures, and controls designed to protect consumer data and financial institutions. 

GEICO is fined $9.75 million in penalties and Travelers is fined $1.55 million, the release says. 

“DFS’s groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions,” said DFS Superintendent Adrienne Harris, in the release “Licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats. I thank the Attorney General’s office for their coordination during these investigations.”

GEICO was attacked by hackers starting in November 2020, the release says. It says GEICO failed to conduct a comprehensive review of its system to prevent and detect future cyberattacks, despite DFS notifying the company of an industry-wide cyberattack campaign. Overall, 116,000 New York residents’ personal information was exposed when hackers exploited vulnerabilities in the company’s insurance agents quoting tool. 

Travelers’ auto insurance quoting tools for independent agents were attacked between January and April 2021. The company had received several industry alerts warning that hackers were obtaining driver’s license numbers through insurance quoting tools, the release said. It says hackers gained access through the use of compromised agent credentials. The portal did not use multifactor authentication or any other compensating controls. It took seven months before Travelers detected the breach. The attack exposed the personal information of about 4,000 New Yorkers. 

According to the press release, in addition to the penalties, the companies are required to: 

    • Maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information; 
    • Develop and maintain a data inventory of private information and ensure the information is protected by safeguards; 
    • Maintain reasonable authentication procedures for access to private information; 
    • Maintain a logging and monitoring system as well as reasonable policies and procedures designed to properly configure such system to alert on suspicious activity; and    
    • Enhance their threat response procedures.

GEICO also agreed to conduct remedial measures, including a comprehensive cybersecurity risk assessment and penetration testing, and the development of an action plan, according to the release. Travelers agreed to review its systems, assess access controls, and improve protections against unauthorized access. 

Cybersecurity is a business risk that needs to be addressed at the top to protect employees, customers, and business interests, according to panelists who presented on t Data Security, System Stability & The Current State of the Collision Repair Industry Committee during the 2024 MSO Symposium earlier this month

This past summer, a ransomware attack on CDK rattled the dealership and collision repair industry. The attack caused the company to shut down its management system to 15,000 dealerships, which also caused disruptions to parts ordering and inventory management for collision businesses. The system remained shut down for nearly two weeks.

IMAGES

Photo courtesy of jetcityimage/iStock

Share This: