In a stark reminder of the importance of cybersecurity, two major auto insurance companies, GEICO and Travelers, have been fined $11.3 million by New York State authorities for failing to protect the sensitive information of over 120,000 New Yorkers. The fines, announced on November 25, 2024, highlight significant lapses in the companies' data security protocols that enabled hackers to access personal information including driver's license numbers, dates of birth, and insurance estimates.
GEICO, a subsidiary of Berkshire Hathaway Inc., was hit with a staggering $9.75 million penalty. The breach began in November 2020 when hackers exploited vulnerabilities in GEICO's online quoting tools. Despite being warned by the New York State Department of Financial Services (DFS) about an industry-wide cyberattack campaign targeting driver's license numbers, GEICO failed to implement sufficient security measures. This led to the exposure of approximately 116,000 New York residents' personal information through GEICO's insurance agents' quoting tool. Attackers used the stolen data to file fraudulent unemployment claims during the COVID-19 pandemic, underscoring the real-world consequences of such breaches.
Travelers Cos. Inc. was not spared, agreeing to pay $1.55 million in penalties for a similar cybersecurity lapse. In April 2021, hackers accessed Travelers' agent portal using compromised credentials, which lacked multifactor authentication. The breach went undetected for over seven months, exposing the personal information of about 4,000 New Yorkers. The incident was only discovered after a third-party data provider alerted Travelers, emphasizing the need for robust detection systems.
As part of the settlement agreement, both companies have committed to significant enhancements in their cybersecurity practices:
Comprehensive Cybersecurity Programs: GEICO and Travelers must maintain comprehensive information security programs to protect consumer data's security, confidentiality, and integrity.
Data Inventories: Both insurers will develop and maintain a detailed inventory of private information, ensuring it is safeguarded with appropriate controls.
Authentication Procedures: Reasonable authentication procedures for access to private information are to be put in place to prevent unauthorized access.
Logging and Monitoring: The companies will maintain logging and monitoring systems to detect and respond to suspicious activities promptly.
Threat Response: Enhancing threat response procedures is crucial to mitigate future breaches swiftly.
The settlements reflect New York State's commitment to enforcing cybersecurity regulations. Attorney General Letitia James and DFS Superintendent Adrienne Harris have been vocal about the need for companies to prioritize data protection:
"While GEICO and Travelers are supposed to safeguard drivers during emergencies, they have failed to secure consumers' private data," said Attorney General James. "Data breaches can lead to significant fraud, and that is why it is crucial for all businesses to prioritize cybersecurity and data protection."
Visit our website to get cybersecurity updates like this, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
"Guide to Backup Registry in Windows 11/10 and Restore Later Point in Time
Managing Data Retention: Developing a Secure Information Lifecycle Strategy
5 Tips for Cybersecurity and Data Protection for Small Businesses
Essential Strategies for Managing Information Security Operations
List of Federal and State Data Privacy Laws in the United States
Anthony Denis a Security News Reporter with a Bachelor's in Business Computer Application. Drawing from a decade of digital media marketing experience and two years of freelance writing, he brings technical expertise to cybersecurity journalism. His background in IT, content creation, and social media management enables him to deliver complex security topics with clarity and insight.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.