New York Sues Allstate Over Data Breach and Security Failures
New York attorney general, Letitia James, has filed a lawsuit against Allstate’s National General unit, alleging the company failed to adequately protect consumer data and neglected to report data breaches that exposed thousands of driver’s license numbers.
The lawsuit, filed in a Manhattan state court on Monday, seeks financial penalties and improved security measures.
The breaches, which occurred in 2020 and 2021, stemmed from vulnerabilities in National General’s online auto insurance quoting tools. Hackers exploited weaknesses in these systems to access the driver’s license numbers of over 165,000 New Yorkers and nearly 200,000 individuals in total.
The attorney general’s office contends that National General failed to implement sufficient safeguards to prevent unauthorized access and did not promptly alert affected individuals or state agencies.
According to the complaint, the first breach occurred between August and November 2020 but went undisclosed. National General only became aware of a second, larger breach in early 2021 after months of exposure.
The lawsuit claims this failure to act violated New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which mandates companies to secure private data and report breaches in a timely manner.
Attorney general James criticized National General for its lax security practices, stating that weak cybersecurity protections allowed bad actors to target the company twice within a short period. The lawsuit demands penalties of up to $5000 per violation.
Allstate, which acquired National General in January 2021 for approximately $4bn, defended its handling of the situation. The company stated that it swiftly addressed vulnerabilities upon discovery, notified regulators and provided affected consumers with credit monitoring services.
Despite these actions, the lawsuit argues that the company’s response was insufficient and that stronger security measures should have been in place earlier.
Erich Kron, a security awareness advocate at KnowBe4, highlighted the risks of failing to notify customers about breaches, stating that bad actors can use stolen data to impersonate insurance companies and deceive customers.
“One easy way a bad actor could use this against a customer is to contact them while pretending to be from the insurance company, then convincing them that they need to pay a bill,” he explained.
Read more on phishing techniques: Astaroth Phishing Kit Bypasses 2FA Using Reverse Proxy Techniques
This legal action follows similar enforcement efforts against other insurance companies in New York. In recent months, state regulators have imposed fines on firms like Geico and Travelers for security lapses that compromised consumer data.
The attorney general’s office has reaffirmed its commitment to holding companies accountable for failing to protect sensitive personal information.
With increasing scrutiny of cybersecurity failures, companies may face more lawsuits if they fail to meet data protection standards.
“Organizations should contact the victims whose data has been stolen and provide them advice in a timely and actionable way,” Kron warned.
Image credit: Vladeep / Shutterstock.com
