The New York Attorney General’s office imposed a fine of $9.75 million on Geico for hacks that compromised the personal information of 116,000 drivers in the state. The Attorney General and the state Department of Financial Services stated that both Geico and Travelers Indemnity Company breached state data protection regulations by inadequately implementing measures to safeguard consumers’ information.
Both firms were targeted by hackers during the COVID-19 pandemic, amidst a surge of cyberattacks aimed at extracting details such as drivers’ license numbers for fraudulent unemployment claims, according to the agencies. Travelers will incur a penalty of $1.55 million for a security breach that revealed information on about 4,000 individuals, as reported by the agencies.
Both companies have agreed to take steps to enhance their cybersecurity protocols. A representative from Geico mentioned that the company reported the incident to the state and has since allocated significant resources toward bolstering its cybersecurity defenses. A spokesperson for Travelers has not yet responded to a request for comment.
In a noteworthy enforcement action, New York Attorney General Letitia James has levied a joint fine of $11.3 million against the insurance giants Geico and Travelers Indemnity Company for data breaches that placed the personal information of over 120,000 people at risk during the COVID-19 pandemic. The penalties, disclosed by the New York Department of Financial Services (DFS), underscore serious deficiencies in the cybersecurity practices of both companies, which were exploited to steal sensitive information such as drivers’ license numbers and personal data.
The data breaches affecting Geico and Travelers highlighted security vulnerabilities that, although typical in cyber incidents, emphasize areas where enhanced measures could have potentially reduced the risk.
Geico’s breach originated from weaknesses in its online quoting tool—a system designed to make acquiring insurance quotes easier for customers. Between 2020 and 2021, attackers took advantage of this tool through credential stuffing attacks. In this method, cybercriminals utilized stolen usernames and passwords from earlier data breaches, testing various combinations until they eventually gained access.
After breaching the system, attackers managed to extract the drivers’ license numbers of around 116,000 individuals. While this information isn’t a direct financial target, it can play a critical role in identity theft schemes, such as filing fraudulent unemployment claims, a problem that increased during the pandemic.
This breach highlights the necessity of implementing protections like CAPTCHA and other automated bot detection mechanisms in systems that handle sensitive information. Strengthened verification measures, such as multi-layered identity checks, could have provided additional protection against these types of assaults.
The Travelers data breach occurred in April 2021 and compromised the data of about 4,000 individuals. The attackers gained entry by utilizing stolen employee credentials, a technique that circumvented the company’s defenses because of the lack of multifactor authentication.
MFA, which necessitates users to confirm their identities using a secondary factor, such as a code generated on a mobile phone, is regarded as a fundamental security measure in today’s threat environment. In the absence of this barrier, the attackers were able to access the system using just a username and password.
Although there have been no reports of misuse regarding the exposed data, this incident illustrates the critical need for adopting MFA as standard practice to protect internal systems. Both breaches took place during a time of increased online activity fueled by the COVID-19 pandemic, demonstrating how attackers exploited weakened systems and widespread remote work to capitalize on known vulnerabilities.
The fines—$9.75 million for Geico and $1.55 million for Travelers—underscore New York’s role as a frontrunner in cybersecurity regulation. The DFS enforces stringent requirements under its Cybersecurity Regulation, 23 NYCRR Part 500, which mandates financial organizations to uphold robust cybersecurity programs, regularly evaluate risks, and implement safeguards such as MFA.
Both companies were found in violation of these regulations: Geico’s inability to secure its online quoting tool permitted unauthorized access to sensitive customer information, while Travelers’ omission of MFA rendered internal systems susceptible to breaches.
“DFS’s pioneering cybersecurity regulation provides an essential framework for ensuring the protection of sensitive consumer data and the resilience of financial institutions,” remarked New York State Financial Services Superintendent Adrienne Harris. “These enforcement actions reinforce the Department’s commitment to ensuring that all licensees, especially those responsible for consumer financial information like GEICO and Travelers, fulfill their obligation to implement strong measures that protect New Yorkers from potential data breaches and cyber threats. I appreciate the collaboration with the Attorney General’s office during these efforts.”
In response to my inquiry, a representative from Geico stated, “GEICO is happy to have come to a resolution regarding this issue with the New York State Department of Financial Services and the New York State Attorney General. Upon discovering this problem, GEICO voluntarily reported it to officials in New York State and made enhancements to its systems to avert further exploitation by these fraudsters. GEICO is serious about data security and has made substantial commitments to bolster its cybersecurity efforts.”
Consequences for Consumers: The Lasting Effects of Data Breaches
For those affected by the breaches at Geico and Travelers, the repercussions extend beyond the initial exposure of personal information. The aftermath can influence financial security and long-term stability.
The Financial Ramifications of Data Breaches
In the case of Geico, the theft of driver’s license numbers created avenues for criminals to submit fraudulent unemployment claims. These scams not only interfered with legitimate claims but also compelled affected individuals to dedicate considerable time and effort to verifying their identities and contesting false submissions. In some instances, these fraudulent claims may have postponed crucial benefits for victims during an already difficult period.
For Travelers, while fewer individuals were involved, the breach revealed personal information that could facilitate identity theft or other fraudulent activities. The revelation of such data adds a layer of apprehension for those impacted, even if there’s no immediate report of misuse.
The Emotional and Pragmatic Impact of Data Breaches
Beyond the financial consequences, the emotional strain on victims is considerable. The awareness that personal information is in the possession of unknown individuals results in anxiety and a persistent feeling of vulnerability. Victims often find themselves questioning how, when, or if their data could be exploited in the future.
Recovering from these breaches can take a significant amount of time. Victims might need to keep an eye on their credit for suspicious activities, place fraud alerts or freezes on their accounts, and consider investing in identity protection services. This process often entails not just addressing immediate concerns but also remaining alert for potential future abuse of stolen information.
Data Breach Enforcement Intensifies
The breaches at Geico and Travelers underscore the extensive ramifications of data exposure, impacting not only companies but also the individuals whose personal details have been compromised. New York’s regulatory actions indicate that authorities are increasingly holding organizations accountable for safeguarding sensitive information, highlighting a larger movement towards enhanced cybersecurity practices across various sectors. For consumers, these incidents serve as a reminder to remain vigilant in monitoring their accounts and protecting their personal information.
Both Geico and Travelers have been approached for comments. Geico provided a statement that has been integrated into the article.
The DFS outlined that Geico and Travelers had insufficient security measures, resulting in the compromise of sensitive information. The breaches involved a sequence of cyberattacks targeting Geico starting in 2020 and one against Travelers in 2021.
In both scenarios, attackers accessed the companies’ third-party auto insurance quoting tools and extracted driver’s license numbers.
The DFS asserted that Geico did not adequately secure its publicly accessible website and neglected to thoroughly review its systems after being informed about the attack campaign. Although Geico addressed vulnerabilities affecting its website, attackers managed to exploit weaknesses in Geico’s insurance agents’ quoting tool to access the data. This attack compromised the driver’s license numbers of 116,000 residents of New York State.
Concerning Travelers, the DFS stated that the insurer failed to adopt adequate security protocols despite prior warnings of an attack campaign targeting insurance quoting tools. During the assault on Travelers, threat actors used stolen credentials belonging to Travelers agents. The DFS noted that Travelers’ agent portal lacked multi-factor authentication, which attackers exploited to gain initial entry.
The DFS reported that it took more than seven months for Travelers to identify suspicious activity on the compromised agent portal. This attack exposed the personal information of 4,000 individuals from New York.
Due to the breach, Geico was fined $9.75 million, and Travelers faced a penalty of $1.55 million. Moreover, both insurers are obligated to enhance their security protocols by creating and maintaining a data inventory of private information, strengthening threat detection and response tools, and improving authentication methods.
In the consent order involving the DFS and Geico, the agency revealed that attackers took advantage of a vulnerability found in the third-party quoting tool 75 times between 2020 and 2021. It also disclosed that attackers demanded ransom from Geico during the 2020 incident.
“Geico did not identify the Third Cybersecurity Event until March 1, 2021, when it received messages from threat actors trying to ransom stolen customer data back to Geico, along with separate communications from an individual detailing a personal dispute with the threat actors and guiding GEICO on the precise steps taken to steal the customer data and what actions GEICO needed to implement to address the vulnerability,” New York State DFS mentioned in the consent order.
The consent order highlighted further aspects where Geico’s security was deficient. For instance, it stated that Geico failed to encrypt sensitive information or carry out annual penetration tests on its network.
Geico was mandated to perform a cybersecurity risk assessment within 30 days following the issuance of the consent order.
TechTarget Editorial reached out to Travelers for a response, and a company representative provided this statement:
“We are glad to have settled this issue, which involved the compromised credentials of a limited number of independent agents. Safeguarding the information of all our stakeholders is a top priority, and we will continue collaborating with our independent agents to thwart similar incidents in the future. It is vital to emphasize that Travelers’ internal systems were not affected by this incident.”
Geico and Travelers are among the latest firms to face fines from regulatory authorities due to security deficiencies this year. Last month, the U.S. Federal Trade Commission instructed Marriott International Inc. to pay $52 million in fines and enhance their security measures after three data breaches impacted over 300 million customers. T-Mobile was also ordered to pay a $15.75 million penalty last month by the Federal Communications Commission concerning the telecom giant’s management of various data breaches. As part of the settlement, T-Mobile is required to invest another $15.75 million into its enterprise security program.
GEICO and Travelers are two of the largest auto insurance providers in the United States, and if you’re looking for new coverage, you’re likely comparing these companies.
GEICO ranks as the third-largest auto insurance company in America and provides coverage for over 28 million vehicles. The company has received high ratings for financial stability and an Insurify Quality (IQ) Score of 9.0 due to its competitive rates, round-the-clock customer service, and various discounts available.
Travelers boasts strong financial strength ratings and has a 165-year history of providing automobile insurance. Travelers also earned an IQ Score of 9.0 and has received high ratings for customer service in certain markets. However, online customer reviews are mixed.
GEICO vs. Travelers: The conclusion
GEICO car insurance tends to offer lower premiums compared to Travelers for both full coverage and liability-only policies. Drivers without a previous accident, those who have had an accident, or individuals with a DUI will generally find that GEICO’s average car insurance rates are more economical than those of Travelers.
GEICO auto insurance also surpassed Travelers in most regions for customer satisfaction in the 2022 J.D. Power U.S. Auto Insurance study, and it holds an A+ rating with the Better Business Bureau (BBB), whereas Travelers has an A rating.
However, for drivers seeking to work with a licensed insurance agent, GEICO has a considerably smaller network, with approximately 300 agents and brokers nationwide, in contrast to 13,500 for Travelers.
GEICO
GEICO ranks as the third-largest auto insurance provider in the U.S. and has received favorable evaluations from both the BBB and in J.D. Power’s U.S. Auto Insurance Study.
GEICO, a subsidiary of the Berkshire Hathaway Group, is the third-largest insurer in the U.S. based on market share. In addition to auto insurance, GEICO offers homeowners, renters, flood, travel, life, and business insurance, among other products. The insurer presents various car insurance discounts to assist drivers in saving money. For instance, drivers who maintain an accident-free record for five years can receive a 22% discount on premiums, while good students may qualify for a 15% discount. GEICO’s complaint score from the National Association of Insurance Commissioners is below average, which indicates it receives fewer complaints from consumers than average.
Travelers
Travelers is a national insurance provider with an expansive network of agents that performed better than GEICO in the mid-Atlantic region as per J.D. Power’s U.S. Auto Insurance Study.
Travelers is the sixth-largest insurer in the U.S. in terms of market share and has provided services for more than 150 years. The company offers auto, homeowners, renters, flood, pet, and other insurance types. Besides standard auto coverage options such as liability, collision, and comprehensive coverage, Travelers provides gap insurance, accident forgiveness, new car replacement, and a variety of additional coverages. Drivers can benefit from a range of discounts, including those for bundling policies or covering a new vehicle. Travelers’ IntelliDrive program rewards policyholders with discounts of up to 30% for safe driving.
