A U.S. Insurance Company Fined $11.3 Million for Failing to Comply with Data Security Measures

424/67 Thursday, November 28, 2024

The State of New York has fined two auto insurance companies, GEICO and Travelers Indemnity, a total of $11.3 million for failing to secure customer data adequately. This failure allowed cybercriminals to steal the personal information of over 12,000 individuals and use it to file fraudulent unemployment claims during the COVID-19 pandemic.

Letitia James, New York State Attorney General, and Adrienne A. Harris, Superintendent of the New York State Department of Financial Services, stated that the companies’ inadequate data security measures violated state regulations requiring sufficient safeguards for personal information.

In GEICO’s case, a cyberattack occurred in November 2020. Hackers exploited vulnerabilities in GEICO’s online auto insurance quote system, leading to the illegal theft of driver’s license numbers. Although GEICO had been warned about widespread cyber threats, it failed to comprehensively review its systems to prevent or detect future attacks. A second breach in GEICO’s agent quote system exposed the personal information of over 116,000 New York customers.

For Travelers Indemnity, a cyberattack in April 2021 targeted its premium calculation system used by independent agents. This resulted in the exposure of approximately 4,000 customers’ driver’s license data. Despite receiving multiple warnings about potential cyber threats, Travelers did not implement sufficient preventative measures.

As a result, GEICO was fined $9.75 million, while Travelers received a $1.55 million penalty. These incidents serve as a stark reminder that organizations must prioritize cybersecurity and uphold high data protection standards, not only to avoid significant fines but also to maintain consumer trust in an era where data is a prime target for cybercrime.

Source https://www.darkreading.com/cybersecurity-operations/geico-travelers-fined-lax-data-security