New York State Fines Geico and Travelers $11.3 Million for Data Breaches

New York State has fined auto insurers Geico and Travelers Indemnity a combined $11.3 million for cybersecurity lapses that exposed sensitive customer data.

Published on December 5, 2024

cybersecurity
Cyber security network and data protection in financial business concept. Businessman managing data and system to safeguard sensitive information from cyber threats and maintain trust in the industry

New York State has fined auto insurers Geico and Travelers Indemnity a combined $11.3 million for cybersecurity lapses that exposed sensitive customer data. The breaches compromised the personal information of approximately 120,000 individuals during the Covid-19 pandemic.

Details of the Breaches

The fines were issued by New York Attorney General Letitia James and the New York State Department of Financial Services (NYS DFS), who cited both insurers for failing to protect their online systems. The breaches involved hackers accessing customer data through vulnerabilities in Geico’s and Travelers’ quoting tools, used by insurance agents to generate quotes.

The breach at Geico began in 2020 and allowed attackers to steal driver’s license numbers and dates of birth for around 116,000 individuals.

In the case of Travelers, the breach occurred in April 2021 when hackers used stolen credentials to access a quoting tool without multifactor authentication, leading to the theft of data from around 4,000 individuals.

Violation of Cybersecurity Regulations

The NYS DFS concluded that both companies violated New York’s 2017 cybersecurity regulations, among the strictest in the United States. These regulations, updated in 2023, include requirements for ransom payments and board oversight of cybersecurity risk management.

The data breaches were part of a larger wave of cyberattacks during the Covid-19 pandemic, when many companies faced heightened vulnerability. Some stolen information was reportedly used to file fraudulent unemployment claims. The Government Accountability Office estimated that between $100 billion and $135 billion in unemployment payments made during the pandemic were fraudulent.

Financial Penalties and Required Improvements

Geico was fined $9.75 million, while Travelers received a $1.55 million fine. Both insurers are now required to implement enhanced cybersecurity measures, including stronger authentication and improved logging of system access.

Geico and Travelers have acknowledged the incidents and expressed their commitment to improving cybersecurity practices. A Travelers spokesperson emphasized efforts to strengthen defenses and work with independent agents to prevent future incidents. Geico noted that it self-reported the issue and has invested in improving its cybersecurity systems.

“Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously,” said Attorney General Letitia James.

Industry-Wide Reminder

These incidents remind the insurance industry of the importance of implementing robust cybersecurity measures. With cyber threats on the rise, organizations must continuously strengthen their defenses to protect sensitive customer data and maintain compliance.