State AG and Financial Services secure $11.3M in penalties from Geico and Travelers insurance companies

The state said it has secured $11.3 million in penalties from auto insurers Geico and Travelers over holes in their cybersecurity that led to the personal information of tens of thousands of New Yorkers being compromised.

More than 120,000 New Yorkers had personal data, including driver’s license numbers and dates of birth, stolen by hackers to file fake unemployment insurance claims during the height of the pandemic, the state attorney general and the Department of Financial Services said Monday.

An investigation by the attorney general's office found that the two insurance companies failed to install “sufficient data security controls” that would have protected New Yorkers’ private data. The Department of Financial Services concluded in its own investigation that the two companies did not comply with regulations that require the use of “policies, procedures, and controls designed to protect consumer data,” the two state agencies said in a release.

The penalties levied by the state require Geico to pay $9.75 million — of which the attorney general's office secured $4.75 million and Financial Services secured $5 million — and Travelers to pay $1.55 million, the state said. New York State Attorney General Letitia James' office secured $350,000 of Travelers' penalties, while Financial Services secured $1.2 million.

“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” James said in a statement announcing the penalties.

“Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously,” James said. “I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumers.”

In response to the penalties, Geico said it has taken steps to strengthen its cybersecurity.

“GEICO is pleased to have resolved this matter with the New York State Department of Financial Services and the New York State Attorney General,” Geico said in a statement issued to Newsday.

“When this issue was identified, GEICO self-reported it to New York State officials and the company made improvements to its systems to prevent additional exploitation by these fraudsters,” the insurer said. “GEICO takes data security very seriously and has since committed significant resources to further strengthen its cybersecurity program.”

Officials with Travelers could not immediately be reached for comment.