New York secures $14 million in fines from 8 car insurance companies after data breaches

Eight car insurance companies will pay a total of $14.2 million in fines to New York state following data breaches that exposed the private information of more than 825,000 people. 

The penalties center around a long-running campaign in which hackers targeted tools that quoted car insurance prices. Cybercriminals could provide a minimal amount of information, like names or addresses, and the tools would auto-populate a person’s driver’s license number, vehicle identification number, date of birth and more. 

Hackers used the auto-populated information to file fraudulent unemployment claims at the height of the COVID-19 pandemic, according to New York investigators.

The eight companies are American Family Mutual Insurance, Farmers Insurance, Hagerty Insurance Agency, The Hartford Insurance Group, Infinity Insurance, Liberty Mutual, Metromile, and State Auto Mutual Insurance. 

New York Attorney General Letitia James said the companies “had poor cybersecurity that allowed hackers to easily steal New Yorkers’ personal information and use some of the information for fraud.”

“New Yorkers pay hundreds of dollars in car insurance each month. When they go searching for a cheaper option, they should not have to worry that their private information could be stolen,” she said. 

Investigators found that the car insurance companies did not implement data security controls to protect customer information. In addition to the fines, all of them will have to make changes to their cybersecurity programs. 

People impacted by the data breaches are being offered one year of credit report monitoring. 

Last November, New York regulators hit insurance giants Geico and Travelers with more than $11 million in penalties for failing to protect a similar system that allowed cybercriminals to obtain the driver’s license numbers of about 120,000 New Yorkers in 2020. Geico previously said it began to mask driver’s license numbers after its team found cybercriminals discussing breaching the system and stealing driver’s license numbers. 

Pre-fill theft

In addition to the consumer-facing quoting tools, some of the companies also had a private, password-protected tool built for insurance agents, officials said Tuesday. Both versions were abused by cybercriminals, the investigation found. 

The pre-filled information was purchased from data brokers, the state said. Insurance companies have long argued that the purpose of the pre-fill tool is to immediately call up information many people may not have on hand, like license numbers or other information about drivers in their household. 

New York’s Office of the Attorney General found that multiple companies had more than one security incident involving the pre-fill tool but did not have any security tools or systems in place to notify them of attacks. 

Several of the companies did not have multifactor authentication in place for insurance agents who used the private version of the tool. Others did not have “common security tools that monitor and detect suspicious patterns, such as excessive requests from the same user or multiple requests by the same user from different IP addresses,” according to New York officials. 

Investigators found that Farmers Insurance had three different attacks that gave hackers access to the information of about 45,000 New Yorkers. State Auto Mutual Insurance Company and American Family Mutual Insurance Company each exposed the information of 100,000 New York residents. 

American Family Mutual Insurance is paying the largest fine of $2.8 million. Liberty Mutual Insurance, State Auto Insurance, Metromile and Infinity Insurance Company will each pay $2 million, while Farmers Insurance and Hagerty Insurance Agency will pay $1.3 million. 

The companies also have to maintain a comprehensive information security program, develop a data inventory of private information and create authentication procedures as well as a logging and monitoring system.