Introduction
The State of New York has reached a settlement totaling $11.3 million with Berkshire Hathaway Inc.’s Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers) following significant cybersecurity failures. These breaches compromised the personal information of over 120,000 residents and were part of a larger cyberattack campaign targeting online automobile insurance quoting applications [1].
Description
The investigations [4] [7], led by New York Attorney General Letitia James and DFS Superintendent Adrienne Harris [3], uncovered that hackers accessed sensitive data, including driver’s license numbers and dates of birth [1] [3] [5] [6]. This information was subsequently used to file fraudulent unemployment claims during the COVID-19 pandemic [1] [4] [5]. Both GEICO and Travelers were found to have insufficient data security controls and failed to comply with regulations designed to protect consumer data.
As part of the settlement [4], GEICO will pay $9.75 million [1] [2] [3] [4] [5], affecting approximately 116,000 New Yorkers [3] [5] [6], while Travelers will contribute $1.55 million [1] [2] [3] [4] [5] [7], impacting around 4,000 customers. The penalties are directed to the state and are not intended for consumer compensation [6].
GEICO experienced multiple cyberattacks beginning in November 2020 [3], which exposed the personal information of New Yorkers due to inadequate security measures on its publicly-facing website. Despite prior alerts from the DFS about ongoing cyber threats, GEICO did not conduct a thorough review of its systems [2] [5], leading to further vulnerabilities being exploited [5].
Similarly [1] [6], Travelers experienced a breach between January and April 2021 [3], where hackers accessed its agent portal using compromised credentials that lacked multifactor authentication and other essential security controls. This breach went undetected for over seven months, impacting around 4,000 New Yorkers [1] [3] [5] [6].
In addition to the financial penalties, both companies are now required to significantly enhance their cybersecurity measures. GEICO must implement a comprehensive information security program [1] [3] [4], maintain a data inventory [3], and improve authentication procedures for accessing private data [4]. Travelers is mandated to conduct a cybersecurity risk assessment and strengthen access controls [3]. Furthermore, both companies are expected to enhance their threat response protocols to prevent future breaches and better protect sensitive information.
Conclusion
The settlement underscores the critical importance of robust cybersecurity measures in protecting consumer data. The financial penalties and mandated improvements serve as a deterrent to other companies, emphasizing the need for compliance with data protection regulations. By enhancing their cybersecurity frameworks, GEICO and Travelers aim to prevent future breaches and safeguard sensitive information, thereby restoring consumer trust and confidence.
References
[1] https://ag.ny.gov/press-release/2024/attorney-general-james-and-dfs-superintendent-harris-secure-113-million-auto
[2] https://www.pymnts.com/news/2024/geico-and-travelers-fined-11-3-million-for-ny-data-breaches/
[3] https://wnynewsnow.com/2024/11/25/11-3m-secured-from-geico-travelers-over-data-breaches-exposing-120k-new-yorkers-personal-information/
[4] https://www.infosecurity-magazine.com/news/new-york-insurance-data-breach/
[5] https://www.insurancejournal.com/news/east/2024/11/25/802407.htm
[6] https://www.newsday.com/business/data-breach-penalty-x696ashd
[7] https://www.law.com/newyorklawjournal/2024/11/25/geico-travelers-to-pay-ny-113m-for-cybersecurity-breaches/
