The New York Attorney General and the Department of Financial Services have imposed fines totaling $11.3 million on GEICO and Travelers (NYSE:TRV) for inadequate cybersecurity measures that led to the compromise of over 120,000 New Yorkers' personal data. The breaches occurred during a widespread hacking campaign targeting online auto insurance quoting applications, which allowed hackers to access sensitive information such as driver’s license numbers.
The investigations by the Attorney General's Office and the Department of Financial Services concluded that both companies failed to implement necessary data security controls and did not comply with the state's cybersecurity regulations. Consequently, GEICO will pay $9.75 million, and Travelers will pay $1.55 million in penalties.
The security lapses at GEICO resulted in approximately 116,000 residents' data being exposed, mainly through the company's insurance agents' quoting tool. Travelers' breach, which went undetected for over seven months, affected about 4,000 New Yorkers. The stolen data was later used by hackers to file fraudulent unemployment claims during the COVID-19 pandemic.
As a part of the settlements, both companies are required to enhance their cybersecurity protocols significantly. This includes developing a comprehensive information security program, maintaining a data inventory with proper safeguards, implementing reasonable authentication procedures, and improving threat response procedures.
GEICO has agreed to conduct a comprehensive cybersecurity risk assessment and develop an action plan to address potential issues. Similarly, Travelers is expected to review its systems, assess access controls, and strengthen protections against unauthorized access to nonpublic personal information.
The New York State Department of Financial Services has been proactive in enforcing cybersecurity regulations, with consent orders resulting in over $100 million in fines since the implementation of the Cybersecurity Regulation. The updated amendment, effective as of November 2023, aims to further protect New York businesses and consumers.
This enforcement action is part of a series of measures taken by Attorney General Letitia James to hold companies accountable for poor cybersecurity practices and improve data protection. The settlements underscore the state's commitment to ensuring the safety of consumer data and the resilience of financial institutions against cyber threats. This information is based on a press release statement.
This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.