Both GEICO and Travelers, major national insurance companies, will pay penalties for their poor data security after an investigation headed by the state attorney general and the state Department of Financial Services.
The 2020 cyber attack was launched by hackers who managed to steal personal information, including driver's licenses and birth dates, from online tools that provide customers with estimates for automobile insurance. Hackers then used that information to file fraudulent unemployment claims during the pandemic caused by the coronavirus.
GEICO and Travelers had weak data security measures in place to safeguard that information, a violation of regulations enforced by the Department of Financial Services, according to state Attorney General Letitia James' office.
"GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers' personal information," James said in a statement. "Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously."
GEICO will pay the larger share of the penalties, nearly $10 million, while Travelers will pay nearly $1.6 million.
The companies also will strengthen security measures, review their systems, conduct risk assessments and develop action plans to address concerns, according to the attorney general's office.
"DFS's groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions," said Adrienne A. Harris, superintendent of the Department of Financial Services .
The cyber attacks began in 2020 on GEICO's public-facing auto insurance quoting tools. The Department of Financial Services notified GEICO of an industry-wide attack but the attorney general's office said the company did not bolster its systems to prevent future attacks. Travelers was hit by hackers using the company's agent portal in April 2021, which the company did not detect for more than seven months.
Some of the data that hackers were able to obtain during the breach was later used in filing fraudulent unemployment claims.
In a statement, company spokesman Michael Young said GEICO self-reported the breach to New York and made improvements to its systems to prevent additional exploitation.
"GEICO takes data security very seriously and has since committed significant resources to further strengthen its cybersecurity program," Young said.
Cyber attacks have been cited as a growing threat to the critical infrastructure in New York. The state experienced over 25,000 cyber attacks in 2022, up from more than 16,400 attacks in 2016.
©2024 the Times Union, Distributed by Tribune Content Agency, LLC.
