Root, an auto insurance company, must pay $975,000 in penalties and is required to enhance its data security following a lawsuit from the New York Attorney General Letitia James. 

A press release from the attorney’s general office says Root failed to protect the personal information of about 45,000 New Yorkers during a cyberattack the company discovered in 2021. 

“When companies have poor data security practices, they put individuals at risk of identity theft and other fraud,” said James in the release. “Auto insurance companies need to make sure that the systems they use to store people’s data are protected to prevent cybercriminals from stealing driver’s license numbers, Social Security numbers, and other private information. Today’s settlement should send a message to companies in the auto insurance industry that my office will take action to protect New Yorkers’ private information.”

The attack was industry-wide and targeted online auto insurance quoting applications, the release says. The thieves used some of the stolen driver’s license information to file fraudulent unemployment claims during the COVID-19 pandemic. 

Root does not offer insurance in New York, but the attack still allowed scammers to gain access to New Yorkers’ personal information, according to the release. 

The company’s online quoting tool would pre-fill personal information such as driver’s license numbers, with limited information, the release says. 

An assurance of discontinuance, filed by the attorney general, claims Root noticed an unusual increase in the number of unattributed profiles being created on its website on Jan. 27, 2021. Unattributed profiles don’t indicate how the individual had been directed to Root. 

The security team was alerted as this suggested an automated robot or “bot” attack. The suit claims Root adopted attack mitigation measures, including a temporary CAPTCHA. It also took steps to block automated traffic. 

According to the suit, Root realized on Jan. 28, that personal information was exposed during the attack, and additional security measures were started, including temporarily disabling the driver’s license lookup and pre-fill functions. 

During the attack, about 72,852 driver’s license numbers were exposed. This included 44,449 New York drivers. 

The Office of the Attorney General (OAG) found that Root failed to perform adequate risk assessment on its website, the release says. This includes the company not identifying the plain text exposure of consumer personal information and employing insufficient controls to stop automated attacks. 

Root is required to enhance its data security including by: 

• • “Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
  • “Developing and maintaining a data inventory of private information and ensuring such information is protected by reasonable safeguards
  • “Maintaining reasonable authentication procedures for access to private information
  • “Maintaining a logging and monitoring system as well as reasonable policies and procedures designed to properly configure the system to alert of suspicious activity.”

Root Inc., the parent company of Root Insurance Co. announced earlier this month that it joined a partnership with Hyundai Capital America (HCA) to bring innovative solutions and enhanced experiences to HCA. 

“HCA’s leadership in auto finance, combined with Root’s expertise in mobile technology and customer-focused insurance models, seeks to address evolving industry needs and set new benchmarks for customer satisfaction,” a Root press release says. “By offering tailored products, the partnership strives to enhance the overall vehicle ownership experience to deliver personalized, technology-driven solutions.”

The release says the partnership will deliver insurance solutions that offer data-driven competitive rates to HCA customers. 

Last month, James announced a lawsuit against National General and Allstate Insurance Co. for failing to protect New Yorkers’ personal information from cyberattacks.

Last year, James secured $500,000 from Noblr, a vehicle insurance company, for failing to protect personal information in a data breach. She also secured $11.3 million from GEICO and Travelers Insurance for poor data security. 

An OAG investigation found that both companies did not implement sufficient data security controls prior to an industry-wide campaign by hackers to steal consumers’ personal information, including driver’s license numbers and dates of birth from auto insurance quoting applications, according to the release. It says the hackers used the information to file fraudulent unemployment claims during the COVID-19 pandemic. 

A panel discussed data security during the 2024 MSO Symposium held in November in Las Vegas. The conversation followed a ransomware attack on CDK that rattled the dealership and collision repair industry. The attack caused the company to shut down its management system to 15,000 dealerships, which also caused disruptions to parts ordering and inventory management for collision businesses. The system remained shut down for nearly two weeks.

IMAGE

Photo courtesy of da-kuk/iStock