Hackers Got into GEICO, Travelers Websites, Stole New Yorkers’ Driver’s License Numbers and Fraudulently Obtained Unemployment Benefits
By Hank Russell
New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris secured $11.3 million in penalties from two auto insurance companies, the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company. James and Harris claimed both GEICO and Travelers had poor data security which led to the personal information of more than 120,000 New Yorkers being compromised.
These events were part of an industry-wide campaign by hackers to steal consumers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications, including those used by GEICO and Travelers. The hackers then used some of the stolen driver’s license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic.
“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” James said. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously. I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumers.”
“DFS’s groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions,” Harris said. “These enforcement actions reinforce the Department’s commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats. I thank the Attorney General’s office for their coordination during these investigations.”
Starting in November 2020, GEICO experienced a series of cyberattacks on its auto insurance quoting tools. Hackers were able to obtain New Yorkers’ driver’s license numbers from GEICO’s publicly-facing website because, according to James and Harris, GEICO failed to protect this information on the website’s back end. Despite being notified by DFS of an industry-wide cyberattack campaign to obtain driver’s license numbers, and suffering, disclosing, and remediating separate cybersecurity incidents, GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks.
After GEICO remediated its website vulnerabilities, hackers exploited vulnerabilities in GEICO’s insurance agents’ quoting tool, a separate platform from the consumer-facing insurance quotes website. The personal information of approximately 116,000 New York residents was exposed in the GEICO cyberattacks, with the vast majority being lifted from GEICO’s insurance agents’ quoting tool. Some of the exposed data was later used to file unemployment claims during the COVID-19 pandemic.
Travelers experienced a cyberattack on its auto insurance quoting tool for independent agents. Between January and April 2021, Travelers received several industry alerts warning that hackers were obtaining driver’s license numbers through insurance quoting tools. In April 2021, hackers gained access to Travelers’ agent portal through the use of compromised agent credentials, which allowed users to generate reports that included consumers’ full driver’s license numbers in plain text. The insurance agent portal was password-protected but did not use multifactor authentication or any other compensating controls, making it easier to exploit.
James and Harris said Travelers did not detect the breach of its agent portal for more than seven months and was alerted to the attack by a third-party prefill data provider. The Travelers attack exposed the personal information of approximately 4,000 New Yorkers.
The OAG investigation concluded that the auto insurance companies did not implement sufficient data security controls to protect consumers’ private information. The DFS investigation concluded that the auto insurance companies did not comply with the agency’s cybersecurity regulation that requires them to implement policies, procedures, and controls designed to protect consumer data and the financial institutions themselves. As a result of these settlements, GEICO will pay $9.75 million in penalties and Travelers will pay $1.55 million.
In addition to the penalties, the OAG settlement agreement requires the companies to adopt a series of measures aimed at strengthening their cybersecurity practices going forward, including:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
- Developing and maintaining a data inventory of private information and ensuring the information is protected by safeguards;
- Maintaining reasonable authentication procedures for access to private information;
- Maintaining a logging and monitoring system as well as reasonable policies and procedures designed to properly configure such system to alert on suspicious activity; and
- Enhancing their threat response procedures.
As part of this settlement with DFS, GEICO agreed to conduct remedial measures, including a comprehensive cybersecurity risk assessment and penetration testing, and the development of an action plan to address any resulting concerns. “GEICO is pleased to have resolved this matter with the New York State Department of Financial Services and the New York State Attorney General,” the company said in a statement. “When this issue was identified, GEICO self-reported it to New York State officials and the company made improvements to its systems to prevent additional exploitation by these fraudsters. GEICO takes data security very seriously and has since committed significant resources to further strengthen its cybersecurity program.”
Travelers agreed to review its systems, assess access controls, and improve protections against unauthorized access to NPI (nonpublic personal information). In a statement sent to Long Island Life & Politics, a Travelers spokesperson said, “We’re pleased to have resolved this matter, which involved the stolen credentials of a limited number of independent agents. Protecting the information of all our stakeholders is a top priority, and we will continue to partner with our independent agents to prevent similar incidents in the future. It is important to note that Travelers’ internal systems were not impacted by this incident.”