Several insurance firms, operating under the names National General and Allstate, are facing serious legal action initiated by the New York State Attorney General. The lawsuit accuses these companies of negligence in safeguarding customer personal information, which reportedly includes significant data breaches within their systems.
The allegations state that National General failed to inform affected individuals about a data breach that occurred in 2021. Following this incident, the company did not adequately assess the potential exposure of sensitive information in other areas of its systems, leading to a more extensive breach in 2022. The New York Attorney General’s office made this announcement in a press release issued on March 10.
The lawsuit claims that National General did not implement satisfactory data security measures, both prior to and following Allstate’s acquisition of its data security operations. Allstate completed its $4 billion acquisition of National General Holdings Corp. in January 2021, as confirmed in a prior corporate press release.
In the statement from New York Attorney General Letitia James, she emphasized the significant risks posed by National General’s inadequate cybersecurity practices. James noted that the company’s failures allowed hackers to compromise the personal data of New Yorkers on two distinct occasions, highlighting a violation of legal obligations to notify affected individuals promptly.
Allstate, in response to inquiries from PYMNTS, stated that the issues identified with its systems were promptly addressed after vulnerabilities were detected in online tools. The company reported that it took immediate action to secure its systems, notified regulators, and reached out to impacted consumers, offering free credit monitoring as a precautionary measure.
Meanwhile, National General has yet to respond to requests for comment from PYMNTS regarding the allegations. The Attorney General’s press release detailed that the initial data breach compromised the driver’s license information of nearly 12,000 individuals, while the secondary breach further affected the driver’s license data of an additional 187,000 consumers.
As part of the legal action, the Attorney General’s office is seeking penalties against the companies and an injunction to stop any ongoing violations of law. The press release highlights a critical legal expectation: under New York law, entities that collect or license private data belonging to New Yorkers are mandated to implement appropriate security measures to protect it.
This case highlights the broader implications of data breaches, particularly as cybersecurity threats continue to evolve. Reports indicate that in 2024, millions of user records were compromised, showcasing some of the most sophisticated cyber threats to date. The ongoing attacks illuminate vulnerabilities within the digital landscape that businesses must navigate carefully.
Given this context, the tactics that could potentially be associated with the breaches involving National General and Allstate may include initial access techniques such as phishing, persistence strategies, and data exfiltration methods, according to the MITRE ATT&CK framework. Understanding these tactics is essential for businesses aiming to bolster their cybersecurity posture in an increasingly complex threat environment.
In summary, the situation surrounding National General and Allstate serves as a critical reminder for businesses regarding the importance of robust cybersecurity practices. Ensuring the protection of personal data is not only a legal requirement but also a fundamental responsibility to maintain consumer trust in an increasingly digital world.
