In a significant enforcement move, New York’s Attorney General Letitia James has fined insurance giants Geico and Travelers Indemnity Company a combined $11.3 million for data breaches that exposed the personal information of over 120,000 individuals during the COVID-19 pandemic. The penalties, announced by the New York Department of Financial Services, or DFS, highlight critical failures in both companies’ cybersecurity measures, with vulnerabilities exploited to steal sensitive data such as driver’s license numbers and personal details.
The data breaches at Geico and Travelers revealed security gaps that, while common in cyberattacks, highlight areas where stronger measures could have mitigated the risk.
Geico Data Breach: Quoting Tool Exploited By Credential Stuffing
Geico’s breach stemmed from vulnerabilities in its online quoting tool, a system designed to simplify the customer experience by providing quick insurance quotes. Between 2020 and 2021, attackers exploited the tool using credential stuffing attacks. In this approach, cybercriminals utilized stolen usernames and passwords from previous data breaches, testing combinations until they gained access.
Once inside, attackers were able to extract driver’s license numbers for approximately 116,000 individuals. This type of information, while not a direct financial target, can serve as a key piece for identity theft schemes, such as filing fraudulent unemployment claims—an issue that saw a surge during the pandemic.
The breach underscores the importance of implementing defenses like CAPTCHA and other automated bot detection tools in systems handling sensitive data. Enhanced verification steps, such as multi-layered identity checks, could have added an extra safeguard against these types of attacks.
Travelers Data Breach: Absence of Multifactor Authentication
In April 2021, Travelers experienced a breach that compromised the data of approximately 4,000 individuals. The attackers gained access by using stolen employee credentials—a method that bypassed the company’s defenses due to the absence of multifactor authentication, or MFA.
MFA, which requires users to verify their identity with a secondary factor, like a mobile phone generated code, is considered a foundational security measure in today’s threat landscape. Without this layer, the attackers were able to enter the system with only a username and password.
While no misuse of the exposed data has been reported as of yet, this incident demonstrates the importance of adopting MFA as a standard practice to protect internal systems. Both breaches occurred during a period of heightened online activity driven by the COVID-19 pandemic, illustrating how attackers capitalized on strained systems and widespread remote work to exploit known vulnerabilities.
New York’s Strict Cybersecurity Standards
The fines—$9.75 million for Geico and $1.55 million for Travelers—reflect New York’s position as a leader in cybersecurity regulation. The DFS has strict rules under its Cybersecurity Regulation, 23 NYCRR Part 500, which requires financial institutions to maintain robust cybersecurity programs, regularly assess risks, and implement protections like MFA.
Both companies were found to have violated these regulations:
- Geico’s failure to secure its online quoting tool allowed unauthorized access to sensitive customer information.
- Travelers’ lack of MFA left internal systems vulnerable to intrusion.
“DFS’s groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions,” said New York State Financial Services Superintendent Adrienne Harris. “These enforcement actions reinforce the Department’s commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats. I thank the Attorney General’s office for their coordination during these investigations.”
Impact on Consumers: The Long Tail of Data Breaches
For the individuals affected by the Geico and Travelers breaches, the consequences go beyond the immediate exposure of personal data. The fallout can affect financial stability and long-term security.
The Financial Impact Of Data Breaches
In Geico’s case, the theft of driver’s license numbers created opportunities for criminals to file fraudulent unemployment claims. These scams not only disrupted legitimate claims but also required affected individuals to invest significant time and effort into proving their identities and disputing false filings. In some cases, these fraudulent claims may have delayed essential benefits for victims during an already challenging time.
For Travelers, while fewer individuals were impacted, the breach exposed personal details that could be used for identity theft or other fraudulent activities. The exposure of such information adds a layer of uncertainty for those affected, even if immediate misuse hasn’t been reported.
The Emotional and Practical Toll Of Data Breaches
Beyond financial implications, the emotional burden on victims is significant. Knowing that personal information is in the hands of unknown parties creates stress and a lingering sense of vulnerability. Victims are often left wondering how, when, or if their data will be used in the future.
Recovery from such breaches can be a long process. Victims may need to monitor their credit for unusual activity, place fraud alerts or freezes on their accounts and invest in identity protection services. The process often involves not just resolving immediate issues but remaining vigilant for potential future misuse of stolen data.
Data Breach Enforcement Escalates
The Geico and Travelers breaches highlight the far-reaching consequences of data exposure, not just for companies but for the individuals whose information is compromised. As New York’s enforcement action shows, regulators are increasingly holding organizations accountable for protecting sensitive data, signaling a broader push for stronger cybersecurity measures across industries. For consumers, these incidents serve as a reminder to stay proactive in monitoring their own accounts and securing their personal information.
Both Geico and Travelers have been contacted for comment. This article will be updated when they respond.
