Nearly 45,000 New Yorkers Had Personal Information Stolen
By Lindsay Press
An auto insurance company has been ordered by Attorney General Letita James to pay $975,000 in penalties after, according to James, it failed to protect the personal information of about 45,000 New Yorkers.
In January 2021, Root found bad actors taking advantage of the prefill vulnerability. The Attorney General’s office determined that Root had not conducted satisfactory risk assessments on its public-facing web applications, employed insufficient controls to prevent automated attacks, and did not identify the plain text exposure of consumer personal information.
Although Root, which is based in Columbus, Ohio, does not provide insurance in New York, the scammers were able to get state residents’ personal information — including dates of birth and driver’s license numbers — from the company’s insurance quoting applications. They used that data to file fraudulent unemployment claims at the height of the COVID-19 pandemic, according to James.
The Attorney General’s office investigation found that Root failed to create protections to safeguard private information. In addition to paying $975,000 in penalties, Root is required to update its data security by doing the following:
- Preserving a comprehensive information security program created to safeguard the security, confidentiality, and integrity of private information
- Inventing and maintaining a data inventory or private information and ensuring the data is protected by reasonable safeguards
- Maintaining a logging and monitoring system and reasonable policies and procedures made to configure the system to alert of suspicious activity properly
“When companies have poor data security practices, they put individuals at risk of identity theft and other fraud,” said James. “Auto insurance companies need to make sure that the systems they use to store people’s data are protected to prevent cybercriminals from stealing driver’s license numbers, Social Security numbers, and other private information. Today’s settlement should send a message to companies in the auto insurance industry that my office will take action to protect New Yorkers’ private information.”
In response to James’ allegations, a representative from Root said to Long Island Life & Politics in a statement, “Protecting customer personal data remains a top priority at Root. We maintain high data security standards and, in light of this event, have made improvements to avoid fraudulent activity. Any person impacted by the breach was immediately offered credit monitoring services at the time of the incident as precaution. Root is glad to have resolved this matter with the New York State Attorney General.”