New York Attorney General Files Lawsuit Against National General and Allstate for Data Breaches
In a recent development, New York Attorney General Letitia James has initiated a lawsuit against National General Insurance and its parent company, Allstate, for alleged failures in protecting consumers’ personal information. This action comes in the wake of two significant data breaches that occurred in 2020 and 2021, compromising the driver’s license numbers of over 165,000 New Yorkers. The breaches are said to have resulted from National General’s inadequate cybersecurity measures, which allowed unauthorized individuals to access sensitive data.
The Office of the Attorney General (OAG) claims that National General did not inform affected consumers after the initial breach and failed to implement necessary security enhancements. This negligence reportedly led to a second, more extensive incident. Even after Allstate assumed control of National General’s data protection strategies, vulnerabilities remained unaddressed. Given the company’s previous lapses, this lawsuit underscores the pressing need for robust cybersecurity protocols.
Attorney General James expressed her concerns regarding National General’s lax data security, stating that it "emboldened hackers to steal New Yorkers’ personal data" multiple times. She emphasized that the mishandling of personal information constitutes a violation of legal obligations, noting the critical importance for companies to prioritize cybersecurity in order to protect consumers from fraud and identity theft. Her office is committed to holding accountable those who neglect these responsibilities.
This lawsuit represents a broader trend of enforcement actions targeting companies that fail to adequately safeguard consumer information. It follows previous settlements, including a notable $500,000 agreement with Noblr in December 2024 and an $11.3 million penalty imposed on GEICO and Travelers in November 2024 due to similar breaches of data security.
From a cybersecurity perspective, the tactics employed during these breaches could reflect various elements outlined in the MITRE ATT&CK framework. Potential adversary techniques may include initial access through phishing or exploitation of known vulnerabilities, persistence via installation of malware, and lateral movement within the network to escalate privileges. Such maneuvers highlight the critical need for companies to invest in robust cybersecurity defenses and training for employees to prevent similar incidents in the future.
As the landscape of cybersecurity continues to evolve, business owners must remain vigilant in addressing these risks. Effective risk management strategies, regular security audits, and compliance with industry regulations are essential components in safeguarding consumer data and maintaining trust.
In a related note, businesses should stay informed about best practices in data protection and consider subscribing to reputable cybersecurity news services. This proactive approach can help mitigate potential risks and enhance organizational resilience against future data breaches.
