New York Attorney General Letitia James filed a lawsuit Monday against National General and Allstate Insurance Co. for failing to protect New Yorkers’ personal information from cyberattacks, according to a press release. 

National General, an Allstate company, suffered two back-to-back data breaches that exposed personal information in 2020 and 2021, according to the Attorney General’s Office (OAG). It says the breach exposed the driver’s license numbers of more than 165,000 New Yorkers. 

“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” said James in the release. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen. It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft, and my office will always hold those who fail to do so accountable.”

The suit alleges that National General did not notify impacted consumers and neglected to determine whether sensitive information was exposed elsewhere in the system after the first breach. 

It says National General’s failed actions allowed a second, larger breach to occur months later. It also claims that the breaches are a result of National General’s failure to implement reasonable data security measures before and after Allstate assumed control of its data security operations. 

Allstate released a statement in response to the suit.

“We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed driver’s license numbers,” Allstate’s statement says. “We promptly notified regulators, contacted potentially affected consumers and offered free credit monitoring as a precaution.”

National General’s online quoting website was attacked in the first breach, the release says. 

“These websites were designed to automatically display consumers’ full driver’s license numbers in plain text with minimal input, a flaw that bad actors were able to take advantage of to access consumers’ private information,” the release says. 

The first breach affected two public-facing websites and exposed the driver’s license numbers of nearly 12,000 people nationwide, including more than 9,100 New Yorkers, the release says. 

In addition to failing to notify consumers, National General also failed to inform state agencies following the attack and left driver’s license numbers exposed on a separate quoting website used by independent insurance agents, the release says. 

The insurance company detected another attack in February 2021 on the second website. The release says 187,000 consumers’ personal information was compromised, including about 155,000 New Yorkers. 

“Driver’s license numbers are valuable to cyber-criminals and can be used to commit various forms of fraud, including identity theft and government benefits fraud,” the release says. “Under New York law, companies that own or license New Yorkers’ private data must take appropriate steps to secure it. Attorney General James alleges that National General violated state consumer protection and business laws by failing to secure sensitive information, misrepresenting its data security practices to customers and consumers, and failing to notify affected consumers of the initial breach.”

Last year, James secured $500,000 from Noblr, a vehicle insurance company, for failing to protect personal information in a data breach. She also secured $11.3 million from GEICO and Travelers Insurance for poor data security. 

An OAG investigation found that both companies did not implement sufficient data security controls prior to an industry-wide campaign by hackers to steal consumers’ personal information, including driver’s license numbers and dates of birth from auto insurance quoting applications, according to the release. It says the hackers used the information to file fraudulent unemployment claims during the COVID-19 pandemic. 

A panel discussed data security during the 2024 MSO Symposium held in November in Las Vegas. The conversation followed a ransomware attack on CDK that rattled the dealership and collision repair industry. The attack caused the company to shut down its management system to 15,000 dealerships, which also caused disruptions to parts ordering and inventory management for collision businesses. The system remained shut down for nearly two weeks. 

Cybersecurity is a business risk that needs to be addressed at the top to protect employees, customers, and business interests, the panelists said. They also said the CDK attack exposed how connected businesses are to others they work with. 

Ashley Denison, Caliber Collision’s chief information officer, said CDK is a fifth-level supplier to Caliber. 

“It was not on our radar but it had such a big impact,” Denison said.

The attack impacted the supply chain and forced the company to check its security for any risk of connectivity. 

Caliber has been reviewing its connectivity to other companies in each department, including revenue, parts, and labor. 

Denison added, “What would we do if another CDK happened? What if some of the claims management systems went down?”

IMAGES

Photo courtesy of JHVEPhoto/iStock