Two auto insurance coverage firms pays a hefty penalty for what the State of New York says was insufficient safety that allowed hackers to compromise private information of greater than 12,000 state residents.
New York Legal professional Normal Letitia James and New York State Division of Monetary Providers (DFS) Superintendent Adrienne A. Harris mentioned the $11.3 million fines in opposition to Authorities Staff Insurance coverage Co. (GEICO) and the Vacationers Indemnity Co. follows what the state deemed “poor information safety” practices that allowed cybercriminals to steal driver license numbers. Worse, on the peak of the COVID-19 disaster, they used that information to file fraudulent unemployment claims. Particularly, the insurers have been discovered to have violated a state regulation to “implement insurance policies, procedures, and controls designed to guard shopper information in addition to the monetary establishments themselves,” their assertion mentioned.
GEICO has been ordered to pay $9.75 million, and Vacationers pays $1.55 million.
“GEICO and Vacationers provide drivers safety throughout occasions of emergencies, however these firms failed to guard customers’ private data,” James mentioned. “Knowledge breaches can result in critical fraud, and that’s the reason it is vital for all firms to take cybersecurity and information safety critically.”
GEICO skilled a November 2020 compromise of its auto insurance coverage quoting software, permitting risk actors to steal driver license numbers from the corporate’s public-facing web site, New York regulators mentioned.
“Regardless of being notified by DFS of an industry-wide cyberattack marketing campaign to acquire driver’s license numbers, and struggling, disclosing, and remediating separate cybersecurity incidents, GEICO didn’t conduct a complete overview of its methods to forestall and detect future cyberattacks,” the assertion continued.
Following that breach, hackers pivoted to use a vulnerability in GEICO’s quoting software for insurance coverage brokers on a separate platform.
Each cyberattacks in opposition to GEICO uncovered the non-public data of about 116,000 New York residents, most of these leaked within the second compromise, the assertion added.
Vacationers too was breached by means of the same cyberattack in opposition to its auto insurance coverage quoting software, this time a calculator utilized by impartial brokers. Regardless of receiving a number of alerts that risk actors have been conducting a lot of these campaigns, in April 2021, hackers have been ready to make use of compromised credentials to generate experiences with license numbers in plain textual content, exposing the info of 4,000 New Yorkers, the assertion mentioned.
In addition to the penalties, these insurers have agreed to enhance their cybersecurity practices together with bettering protections for personal data, conducting a complete information stock, requiring authentication to entry non-public information, implementing logging and monitoring, and enhancing risk response planning and procedures.
GEICO additionally agreed to conduct remedial measures, together with complete threat evaluation and penetration testing, plus growing an motion plan to handle any ensuing points. Vacationers agreed to overview its methods, assess its personal entry controls, and enhance protections in opposition to unauthorized entry to nonpublic private data, in accordance with the regulators’ assertion.
