New York’s Attorney General filed a lawsuit against National General and Allstate Insurance Co. for failing to protect New Yorkers’ personal information from cyberattacks.
Letitia James’ office today filed the suit from incidents in 2020 and 2021, when National General suffered a pair of back-to-back data breaches that exposed the driver’s license numbers of more than 165,000 New Yorkers. The Office of the Attorney General alleges that following the first breach, National General failed to notify impacted consumers and neglected to determine whether sensitive information was exposed elsewhere in its system, which enabled a second, larger breach months later.
James alleges the two breaches were a result of National General’s failure to implement reasonable data security measures, both before and after Allstate assumed control of its data security operations.
James is seeking penalties for National General’s failure to institute reasonable data security safeguards and notify consumers, and an injunction to stop any continued violations.
In 2020, attackers began targeting National General’s online quoting websites, which were designed to automatically display consumers’ full driver’s license numbers in plain text, a flaw that bad actors were able to take advantage of to access consumers’ private information.
The first breach, which affected two public-facing websites, exposed the driver’s license numbers of nearly 12,000 individuals, including more than 9,100 New Yorkers. National General failed to detect the breach for two months.
National General then failed to alert the consumers whose data was exposed or notify the appropriate state agencies after the company discovered the breach, according to James’ office.
The company also continued to leave driver’s license numbers exposed on a separate quoting website for independent insurance agents, which was also weakly protected, according to the office.
Attackers then targeted this system in a second, larger breach, which National General detected in February 2021. This attack compromised the personal information of an additional 187,000 consumers, including the driver’s license numbers of roughly 155,000 New Yorkers.
According to the lawsuit, National General’s data security failures continued after The Allstate Corporation acquired National General and Allstate took control of National General’s data security function.
James alleges that National General violated state consumer protection and business laws by failing to secure sensitive information, misrepresenting its data security practices to customers and consumers and failing to notify affected consumers of the initial breach.
Was this article valuable?
Here are more articles you may enjoy.
Report: Insurers Pay $1.6B in Dog Bite Claims, as Frequency Soars 
FEMA Denies Washington State Disaster Relief From Bomb Cyclone, Governor Says 
FBI Says Cybercrime Costs Rose to at Least $16 Billion in 2024 
US Regulator Takes Initial Steps to Boost Self-Driving Cars 
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.