Car Insurance Agents: New York Attorney General Letitia James has secured $14.2 million in settlements from eight auto insurance companies following cybersecurity failures that allowed hackers to access personal information belonging to more than 825,000 state residents. The breaches centered on online systems designed for generating insurance quotes, tools often relied upon by car insurance agents to assist clients in comparing rates.
The hacking incidents exploited weaknesses in these digital quoting platforms, enabling unauthorized access to sensitive details such as driver’s license numbers and dates of birth. In certain cases, the stolen data was misused to file fraudulent unemployment claims amid the height of the COVID-19 pandemic, adding to the harm inflicted on affected individuals.
A collaborative investigation conducted by James’s office alongside the New York State Department of Financial Services uncovered that the insurers had not implemented sufficient protections to secure consumer data. As outlined in the settlements announced on October 14, the companies are now required to enhance their security measures significantly. They have also already offered one year of complimentary credit monitoring services to those impacted by the breaches.
This development extends previous enforcement actions by James, who earlier recovered $6.5 million from four additional auto insurers for comparable lapses in data protection. In total, these efforts have resulted in more than $20.7 million collected from a dozen companies, with the incidents affecting approximately one million New Yorkers overall.
In her statement, James highlighted the critical need for robust safeguards, pointing out that consumers seeking competitive car insurance rates should not have to worry about their private information being put at risk. She commended the joint work with state financial and labor agencies in holding companies accountable for shortcomings in protecting personal data.
The companies involved in the latest settlements are American Family Mutual Insurance Company and its affiliate Midvale Indemnity Company, Farmers Insurance, Hagerty Insurance Agency, The Hartford Insurance Group, Infinity Insurance Company, Liberty Mutual Insurance, Metromile, and State Auto Mutual Insurance Company.
These firms provided online quoting functionalities that permitted users, including car insurance agents acting for customers, to enter basic information and receive pre-populated forms drawing additional personal details from external databases. While intended to simplify the quoting process, the investigation revealed that these systems were inadequately fortified against external threats.
Among the specific deficiencies identified were repeated breaches at some insurers without timely resolutions, a lack of fundamental monitoring mechanisms to detect anomalous activities, and insufficient evaluations following updates to the systems. For example, Farmers Insurance experienced three distinct attacks that compromised data for around 45,000 New York residents. Similarly, State Auto’s platforms left information on more than 100,000 individuals vulnerable due to the absence of notifications for suspicious behaviors, such as multiple queries originating from identical sources.
Metromile’s security lapse remained undetected for two months, endangering data for about 90,000 people. Infinity Insurance suffered intrusions affecting both consumer-facing and agent-specific interfaces, impacting roughly 245,000 New Yorkers in aggregate. Other entities, including Liberty Mutual and The Hartford, operated tools that had not been properly vetted for privacy vulnerabilities or equipped with essential features like multi-factor authentication.
The financial penalties are distributed as follows: a combined $2.8 million from American Family and Midvale, $1.3 million each from Farmers and Hagerty, $2 million apiece from Infinity, Liberty Mutual, Metromile, and State Auto, and $815,000 from The Hartford.
In addition to the monetary fines, the settlements mandate the establishment of comprehensive security frameworks. These include complete audits of sensitive data holdings, strengthened access restrictions, continuous threat surveillance, and refined protocols for responding to incidents.
James encouraged all businesses to consult her office’s resources on best practices for data protection to prevent future oversights. This initiative aligns with her ongoing campaign to address inadequate cybersecurity across industries, encompassing prior actions against other insurance providers and a health care organization for similar data exposure issues.