New York Attorney General Letitia James has reached settlements totaling $14.2 million with eight car insurance companies following data breaches that compromised the personal information of more than 825,000 New Yorkers. The breaches involved hackers targeting online quoting tools and accessing sensitive data such as driver’s license numbers and dates of birth. Some of this information was later used to file fraudulent unemployment claims during the COVID-19 pandemic.
The investigation, conducted by the Office of the Attorney General (OAG) and the New York State Department of Financial Services (DFS), found that these companies did not have adequate data security measures in place to protect consumer information. As part of the settlements, all eight companies will pay penalties and are required to improve their cybersecurity practices. Affected individuals have been offered free credit report monitoring for one year.
Attorney General James previously secured $6.5 million from four other car insurance companies for similar failures, bringing the total amount recovered from 10 auto insurers to $20.79 million.
“New Yorkers pay hundreds of dollars in car insurance each month. When they go searching for a cheaper option, they should not have to worry that their private information could be stolen,” said Attorney General James. “These eight car insurance companies had poor cybersecurity that allowed hackers to easily steal New Yorkers’ personal information and use some of the information for fraud. I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumers.”
The settlements involve American Family Mutual Insurance Company/Midvale Indemnity Company, Farmers Insurance, Hagerty Insurance Agency, The Hartford Insurance Group, Infinity Insurance Company, Liberty Mutual Insurance, Metromile, and State Auto Mutual Insurance Company.
According to findings from OAG’s investigation, hackers exploited a “pre-fill” function in online quote tools which automatically populated forms with personal data purchased from brokers after users entered limited information such as name and date of birth. This made it easier for attackers to access additional sensitive details like driver’s license numbers without sufficient safeguards in place.
Several companies experienced multiple attacks or lacked basic security features such as multifactor authentication or proper monitoring systems:
– Farmers Insurance faced three attacks affecting about 45,000 people.
– American Family Mutual/Midvale Indemnity exposed roughly 100,000 records due to errors during a security system transition.
– State Auto Mutual exposed over 100,000 records due to inadequate monitoring.
– Metromile failed to detect an attack exposing around 90,000 records for two months.
– Liberty Mutual had three tools attacked without prior privacy assessments.
– The Hartford suffered two breaches impacting about 30,000 people despite having policies that were not effectively implemented.
– Hagerty detected unusual activity but did not immediately identify it as an attack; about 66,000 records were exposed.
– Infinity had three incidents exposing a combined total exceeding 245,000 records due in part to lack of multifactor authentication on agent tools.
Penalty amounts under today’s settlement are: American Family/Midvale ($2.8 million), Farmers ($1.3 million), Hagerty ($1.3 million), Infinity ($2 million), Hartford ($815,000), Liberty Mutual ($2 million), Metromile ($2 million), and State Auto ($2 million).
In addition to financial penalties, these insurers must now implement stronger cybersecurity protocols including comprehensive security programs, better inventory management of private data, improved authentication procedures, enhanced logging/monitoring systems for suspicious activity detection, and stronger threat response processes.
This action follows other recent enforcement efforts by Attorney General James against inadequate cybersecurity practices across industries—including lawsuits against Allstate Insurance over a separate breach affecting more than 165,000 New Yorkers; an $11.3 million settlement with GEICO and Travelers; action against a Capital Region health care provider; and initiatives providing privacy guidance resources for businesses and consumers.
The case was managed by members of OAG’s Bureau of Internet and Technology along with analysts from its Research and Analytics Department under supervision from senior officials within the Division for Economic Justice.
