New York has fined GEICO $9.75 million and Travelers $1.55 million for cybersecurity breaches that compromised the personal data of over 120,000 customers. State officials, including Attorney General Letitia James and DFS Superintendent Adrienne A. Harris, determined that both insurers failed to comply with the state’s stringent cybersecurity regulations, leaving sensitive information, such as driver’s license numbers, vulnerable to theft.
Hackers targeted the companies’ online insurance quoting tools, exploiting weaknesses to steal customer data. This stolen information was later used in fraudulent unemployment claims during the COVID-19 pandemic. GEICO’s breaches involved both its consumer-facing quoting platform and its agents’ quoting tools, while Travelers’ breach stemmed from compromised agent credentials and a lack of multifactor authentication on its portal.
Both companies have agreed to implement enhanced cybersecurity measures as part of the settlements. These include conducting cybersecurity risk assessments, penetration testing, and strengthening access controls to protect sensitive data. New York’s updated Cybersecurity Regulation has been instrumental in addressing these types of risks and serves as a model for other regulatory bodies.