Geico and Travelers Fined $11.3 Million for NY Data Breaches 

Geico, insurance, data breach, fines

New York state has penalized two auto insurance giants for failing to secure customer data.

Geico and Travelers will pay a combined $11.3 million in penalties “for having poor data security,” which allowed more than 120,000 New Yorkers’ information to be compromised, the New York Department of Financial Services (NYDFS) announced Monday (Nov. 25).

The settlement follows an investigation by the NYDFS that found that the companies had failed to comply with its cybersecurity regulation, and one by the New York State Attorney General which included the insurers failing to implement proper data security controls.

Geico, which had 116,000 customers from New York exposed in the attacks, will pay the bulk of the penalties, at $9.75 million. Travelers, which had 4,000 customers exposed, will pay $1.55 million, the NYDFS said.

According to the NYDFS, the data breaches were part of an industry-wide hacking campaign that tried to steal consumers’ personal information.

Geico suffered a series of breaches beginning in November 2020, the department said, and failed to “conduct a comprehensive review of its systems to prevent and detect future cyberattacks,” despite being warned by DFS of the cyberattack campaign.

“GEICO is pleased to have resolved this matter with the New York State Department of Financial Services and the New York State Attorney General,” the company said in a statement provided to PYMNTS. “When this issue was identified, GEICO self-reported it to New York State officials and the company made improvements to its systems to prevent additional exploitation by these fraudsters.”

Travelers was breached in April 2021 when hackers broke into its agent portal using compromised agent credentials.

“The insurance agent portal was password protected but did not use multifactor authentication or any other compensating controls, making it easier to exploit,” the NYDFS said.

A company spokesperson told PYMNTS the breach involved a “limited number” of independent agents.

Protecting the information of all our stakeholders is a top priority, and we will continue to partner with our independent agents to prevent similar incidents in the future,” the spokesperson said. “It is important to note that Travelers’ internal systems were not impacted by this incident.”

As PYMNTS wrote earlier this year, companies are focusing more on cyber security amid a larger debate surrounding data security in the connected economy, especially in connected workplaces and smart homes.

The PYMNTS Intelligence report “Fraud Management in Online Transactions” found that most eCommerce merchants had dealt with cyberattacks or data breaches in the prior year. Eighty-two percent of these companies suffered an attack in that time, and 47% said the breaches caused them to lose both revenue and customers.