Driver’s License Numbers Belonging to Over 165,000 New Yorkers Obtained by Hackers
By Hank Russell
New York Attorney General Letitia James today filed a lawsuit against several insurance companies doing business as National General and Allstate Insurance Company for failing to protect New Yorkers’ personal information from cyberattacks.
In 2020 and 2021, National General suffered a pair of back-to-back data breaches that exposed the driver’s license numbers of more than 165,000 New Yorkers. The Office of the Attorney General (OAG) alleges that, following the first breach, National General failed to notify the affected consumers about the breach and neglected to determine whether sensitive information was exposed elsewhere in its system, which allowed for a second, larger breach to occur months later.
James alleges the two breaches were a result of National General’s failure to implement reasonable data security measures, both before and after Allstate assumed control of its data security operations in 2021.
In 2020, attackers began targeting National General’s online quoting websites, which provide consumers with instant auto insurance quotes. These websites were designed to automatically display consumers’ full driver’s license numbers in plain text with minimal input, a flaw that bad actors were able to take advantage of to access consumers’ private information, according to the lawsuit. The first breach, which affected two public-facing websites, exposed the driver’s license numbers of nearly 12,000 individuals, including more than 9,100 New Yorkers. Due to inadequate monitoring and the websites’ lack of protections against automated attacks, National General failed to detect the breach for two months.
Upon discovering the breach, National General failed to alert the consumers whose data was exposed or notify the appropriate state agencies. The company also continued to leave driver’s license numbers exposed on a separate quoting website for independent insurance agents, which was also weakly protected. Attackers then targeted this system in a second, far larger breach, which National General detected in February 2021. This attack compromised the personal information of an additional 187,000 consumers, including the driver’s license numbers of roughly 155,000 New Yorkers. National General’s data security failures continued after The Allstate Corporation acquired National General and Allstate took control of National General’s data security function.
Under New York law, companies that own or license New Yorkers’ private data must take appropriate steps to secure it. James alleges that National General violated state consumer protection and business laws by failing to secure sensitive information, misrepresenting its data security practices to customers and consumers, and failing to notify affected consumers of the initial breach.
“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” James said. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen. It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft, and my office will always hold those who fail to do so accountable.”
Long Island Life & Politics reached out to National General and Allstate for a comment. In a statement, Allstate issued the following response: “We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed driver’s license numbers. We promptly notified regulators, contacted potentially affected consumers and offered free credit monitoring as a precaution.”