State AG and Financial Services secure $11.3M in penalties from Geico and Travelers insurance companies

The state said it has secured $11.3 million in penalties from auto insurers Geico and Travelers over holes in their cybersecurity that led to the personal information of tens of thousands of New Yorkers being compromised.

More than 120,000 New Yorkers had personal data, including driver’s license numbers and dates of birth, stolen by hackers to file fake unemployment insurance claims during the height of the pandemic, the state attorney general and the Department of Financial Services said Monday.

An investigation by the attorney general's office found that the two insurance companies failed to install “sufficient data security controls” that would have protected New Yorkers’ private data. The Department of Financial Services concluded in its own investigation that the two companies did not comply with regulations that require the use of “policies, procedures, and controls designed to protect consumer data,” the two state agencies said in a release.

The penalties levied by the state require Geico to pay $9.75 million — of which the attorney general's office secured $4.75 million and Financial Services secured $5 million — and Travelers to pay $1.55 million, the state said. New York State Attorney General Letitia James' Office secured $350,000 of Travelers' penalties, while Financial Services secured $1.2 million. Penalties are to be paid to the state and are not part of a settlement for consumers.

“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” James said in a statement announcing the penalties.

 “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously,” James said.

The investigations found that the breaches were part of a coordinated effort by hackers to target auto insurers’ online insurance quoting software.

According to the state, Geico faced multiple cyberattacks to its customer-facing auto insurance quoting tools beginning in November 2020. While Geico was warned by the Department of Financial Services of “an industry-wide cyberattack campaign” against insurers, the company failed to do a comprehensive review of its systems.

After the website vulnerabilities were fixed, hackers then went after the backend tools used by its insurance agents for providing quotes to consumers. Data of approximately 116,000 New Yorkers was compromised in the attacks on Geico, the state said.

"These enforcement actions reinforce the Department’s commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats," Adrienne A. Harris, superintendent of the Department of Financial Services, said in a statement.

In April 2021, Travelers underwent a similar cyberattack against the quoting system used by its agents, the state said. Hackers gained access to the online portal used by Travelers agents but did not discover the breach for  more than seven months.

Approximately 4,000 New Yorkers had their data compromised as a result, according to the state’s investigations.  

In response to the penalties, Geico said it has taken steps to strengthen its cybersecurity.

“GEICO is pleased to have resolved this matter with the New York State Department of Financial Services and the New York State Attorney General,” Geico said in a statement to Newsday.

“When this issue was identified, GEICO self-reported it to New York State officials and the company made improvements to its systems to prevent additional exploitation by these fraudsters,” the insurer said. “GEICO takes data security very seriously and has since committed significant resources to further strengthen its cybersecurity program.”

Officials with Travelers said the company would continue to work with its insurance agents to prevent breaches.  

"Protecting the information of all our stakeholders is a top priority, and we will continue to partner with our independent agents to prevent similar incidents in the future," a Travelers spokesperson said. "It is important to note that Travelers’ internal systems were not impacted by this incident.”