New York Attorney General Letitia James has in penalties from auto insurance company Root over a data breach that the state says exposed the personal information of about 45,000 New Yorkers.
Root does not offer insurance in New York, but scammers gained access to New Yorkers’ driver’s license numbers and personal information, according to the attorney general.
The data breach was part of an industry-wide campaign to steal consumers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications. The data thieves then used some of the stolen driver’s license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic.
The Root settlement brings the total amount the state has secured from auto insurance companies for their failure to protect New Yorkers’ data to $6.57 million. New York recently secured $5.1 million from GEICO and Travelers, as well as $500,000 from Noblr, for also failing to prevent a data breach of New Yorkers’ data.
Last month, the attorney general sued Allstate Å˽ðÁ«´«Ã½Ó³» for allegedly causing more than 165,000 New Yorkers’ information to be exposed.
New York Sues National General and Allstate Over Data Breaches
“When companies have poor data security practices, they put individuals at risk of identity theft and other fraud,” said Attorney General James in announcing the settlement. “Auto insurance companies need to make sure that the systems they use to store people’s data are protected to prevent cybercriminals from stealing driver’s license numbers, Social Security numbers, and other private information.”
Root allows consumers to obtain a price quote through its website. After limited personal information was entered, the online quoting tool “pre-filled” personal information such as driver’s license numbers. According to the attorney general, Root’s system exposed full, plaintext driver’s license numbers in a PDF generated at the end of the auto quote process.
New York Fines GEICO $9.75M, Travelers $1.5M Over Auto Å˽ðÁ«´«Ã½Ó³» Cyber Breaches
In January 2021, Root discovered bad actors exploiting the pre-fill vulnerability. The attorney general determined that Root failed to perform adequate risk assessments on its public-facing web applications, did not identify the plain text exposure of consumer personal information, and employed insufficient controls to thwart automated attacks.
In addition to paying $975,000 in penalties, Root is required to enhance its data security in keeping with the state’s data security guidelines for companies.
Root agreed to the settlement but neither admits nor denies the findings of the attorney general.
Topics Carriers Cyber Auto New York Data Driven
Was this article valuable?
Here are more articles you may enjoy.
NAIC, Legislators Push to Abolish the Federal Å˽ðÁ«´«Ã½Ó³» Office 
California at Risk of New Å˽ðÁ«´«Ã½Ó³» Bailout Amid Fire Danger 
Data Insight: Who’s Growing in Personal Lines? 
Monsanto’s Bayer to Pay Nearly $2.1 Billion in Roundup Weed Killer Lawsuit 
