Root Insurance Pays $975K to Settle Data Breach That Exposed Driver’s License Info of Thousands in New York

Root Insurance Company will pay a $975,000 penalty following a data breach that exposed the private information of more than 44,000 New Yorkers. The breach, uncovered in January 2021, involved cybercriminals exploiting Root’s online auto quote tool, which auto-filled sensitive data such as driver’s license numbers into downloadable PDFs. Though Root does not sell insurance in New York, its systems pulled and exposed New Yorkers’ information via third-party data sources.

The exposed data was later linked to fraudulent unemployment claims during the COVID-19 pandemic. Root’s failure to implement basic security measures—like rate limiting, user authentication, and adequate risk assessments—was central to the breach. The company’s lack of encryption and weak defenses against automated bot activity allowed attackers to harvest data at scale.

Under an Assurance of Discontinuance agreement with the New York Attorney General’s Office, Root is now required to strengthen its information security program. Measures include maintaining a data inventory, implementing secure software development practices, enhancing user authentication, and improving logging and monitoring systems. The company must also assign a qualified Chief Information Security Officer and report regularly on the program’s status.

This settlement adds to a growing list of enforcement actions taken by AG Letitia James against auto insurers for cybersecurity lapses. With this resolution, James has now secured over $6.5 million in total penalties from the industry for failing to protect consumer data.