New York fines Geico, Travelers $11.3M over data breaches

Geico and Travelers Indemnity Co. were ordered to pay millions in fines and bolster their security programs following cyberattacks that exposed sensitive customer information belonging to more than 120,000 New York state residents.

On Monday, the New York Department of Financial Services announced that New York Attorney General Letitia James and New York state DFS Superintendent Adrienne Harris won an $11.3 million data breach case against Geico and Travelers. The insurance giants suffered separate attacks against their insurance quoting tools that compromised New York residents' personal information, including driver's license numbers and dates of birth.

The DFS detailed how Geico and Travelers lacked sufficient security postures, which led to the compromise of sensitive data. The data breach cases involved a series of cyberattacks against Geico beginning in 2020 and one against Travelers in 2021.

In both cases, attackers compromised the companies' third-party auto insurance quoting tools and exfiltrated driver's license numbers.

The DFS claimed Geico inadequately secured its publicly facing website and failed to comprehensively review its systems after DFS notified the insurer of the attack campaign. The DFS said that although Geico remediated vulnerabilities affecting its website, attackers were able to exploit flaws in Geico's insurance agents' quoting tool to obtain the data. The attack exposed the driver's license numbers of 116,000 New York State residents.

Regarding Travelers, the DFS said the insurer failed to implement adequate security protocols, despite alerts to an attack campaign that targeted insurance quoting tools. During the attack against Travelers, threat actors used stolen credentials belonging to Travelers agents. The DFS said Travelers' agent portal lacked MFA, which attackers subsequently abused to gain initial access.

The DFS stated that it took more than seven months for Travelers to detect suspicious activity on the compromised agent portal. The attack exposed the personal information of 4,000 New York individuals.

As a result of the data breach case, Geico was penalized $9.75 million, and Travelers was fined $1.55 million. Additionally, both insurers are required to bolster their security practices by developing and maintaining a data inventory of private information, enhancing threat detection response tools and improving authentication procedures.

In the consent order between the DFS and Geico, the agency said attackers exploited a vulnerability discovered in the third-party quoting tool 75 times between 2020 and 2021. Additionally, it revealed attackers demanded a ransom from Geico during the 2020 attack.

"Geico did not discover the Third Cybersecurity Event until March 1, 2021, when it received communications from threat actors attempting to ransom back to Geico stolen customer data, as well as separate communications from an individual describing a personal falling out with the threat actors and walking GEICO through precisely the steps taken to steal the customer data and what steps GEICO needed to take to solve the vulnerability," New York State DFS wrote in the consent order.

The consent order cited additional ways in which Geico's security posture was lacking. For example, it said Geico did not encrypt sensitive data or conduct annual penetration testing on its network.

Geico was ordered to undergo a cybersecurity risk assessment within the next 30 days after the consent order was given.

TechTarget Editorial contacted Travelers for comment and a company spokesperson sent the following statement:

"We're pleased to have resolved this matter, which involved the stolen credentials of a limited number of independent agents. Protecting the information of all our stakeholders is a top priority, and we will continue to partner with our independent agents to prevent similar incidents in the future. It is important to note that Travelers' internal systems were not impacted by this incident."

Geico did not respond to a request for comment at press time.

Geico and Travelers are the latest companies to be fined by regulatory agencies for security shortcomings this year. Last month, the U.S. Federal Trade Commission ordered Marriott International Inc. to pay $52 million in fines and enhance their security practices following three data breaches that affected more than 300 million customers. T-Mobile was also ordered to pay a $15.75 million penalty last month by the Federal Communications Commission over the telecom giant's handling of several data breaches. As part of the settlement, T-Mobile must invest another $15.75 million into its enterprise security program.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.