Claims Journal - Insurance news and resources for claims adjusters

Featured Stories

Auto Insurer Fined for Data Breach That Impacted 45K New Yorkers

March 21, 2025
Email This

An auto insurance company was fined $975,000 for allegedly failing to protect the personal information of 45,000 New York residents.

The office of New York Attorney General Letitia James on Thursday announced the AG secured $975,000 in penalties from Root, which was affected by a data breach that was part of an industry-wide campaign to steal consumers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications. The data thieves reportedly then used some of the stolen driver’s license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic.

James recently got $5.1 million from GEICO and Travelers, as well as $500,000 from Noblr, for also reportedly failing to protect New Yorkers’ data.

Root does not offer insurance in New York, but the company’s security failures allowed scammers to gain access to New Yorkers’ driver’s license numbers and personal information, according to the AG’s office.

Root allows consumers to obtain a price quote through its website. After some personal information is entered, the online quoting tool pre-fills personal information such as driver’s license numbers. Root’s system exposed full, plaintext driver’s license numbers in a PDF generated at the end of the auto quote process, according to the AG.

In January 2021, Root discovered bad actors were exploiting the prefill vulnerability. According to the AG, Root failed to perform adequate risk assessments on its public-facing web applications, did not identify the plain text exposure of consumer personal information and employed insufficient controls to thwart automated attacks.

The AG investigation determined that the insurance company failed to adopt reasonable safeguards to protect private information. In addition to paying $975,000 in penalties, Root is required to enhance its data security, including by:

  • Maintaining a comprehensive information security program designed to protect the security, confidentiality and integrity of private information;
  • Developing and maintaining a data inventory of private information and ensuring such information is protected by reasonable safeguards;
  • Maintaining reasonable authentication procedures for access to private information;
  • Maintaining a logging and monitoring system as well as reasonable policies and procedures designed to properly configure the system to alert of suspicious activity.

Was this article valuable?

Here are more articles you may enjoy.

Death Toll Rises From Tornadoes, Wildfires and Storms in Multiple States
Insurers Have Paid $12B in Claims for LA Wildfires, Report Shows
Tesla a Step Closer to Ride-Hailing With California Permit
A True Alternative to Opioids for Workers’ Comp? Questions Remain
Email This