New York Attorney General Letitia James has initiated legal proceedings against Allstate’s National General unit, citing the company’s inadequate protection of consumer data and its failure to report data breaches that compromised thousands of drivers’ license numbers. This lawsuit was filed in a Manhattan state court on Monday, seeking both financial penalties and enhanced security measures to safeguard consumer information.
The data breaches in question, which occurred in 2020 and 2021, arose from vulnerabilities in National General’s online auto insurance quoting tools. Cybercriminals exploited these weaknesses, resulting in the exposure of the driver’s license information of over 165,000 residents of New York, affecting nearly 200,000 individuals nationwide.
The attorney general’s office alleges that National General did not implement adequate security measures to prevent unauthorized access and failed to promptly notify the affected parties and relevant state authorities. According to the complaint, the issues began with a breach that occurred between August and November 2020, which was not disclosed until much later. A second, more significant breach came to light in early 2021, months after the exposure of sensitive data.
This legal action claims that National General’s inaction violates the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which obligates businesses to protect private data and report breaches in a timely manner. Attorney General James has publicly criticized National General for its lax security protocols, asserting that inadequate cybersecurity defenses allowed malicious actors to compromise the company twice in quick succession. The lawsuit demands penalties that could reach up to $5,000 for each violation.
Allstate, which purchased National General for approximately $4 billion in January 2021, has defended its response to the breaches, stating that it acted swiftly to address the vulnerabilities once they were identified. The company claims it notified regulators and provided credit monitoring services to the individuals affected by the breaches. Nonetheless, the lawsuit argues that the company’s measures were insufficient and stronger security protocols should have been in place to prevent such incidents from occurring.
Leading security awareness advocate Erich Kron of KnowBe4 highlighted the dangers associated with the failure to notify customers about breaches, emphasizing that stolen data could be leveraged by malicious entities to impersonate insurance firms and defraud consumers. Such tactics could include contacting victims while masquerading as representatives of their insurance company, subsequently convincing them that immediate payment is required.
This legal action is part of a broader trend, as New York state regulators have recently imposed penalties on other insurance firms, including Geico and Travelers, for security failures that compromised consumer data. The Attorney General’s office remains steadfast in its commitment to enforcing accountability among companies that fail to protect sensitive personal information.
As cybersecurity scrutiny intensifies, organizations that do not meet data protection standards may face increased legal repercussions. Kron cautioned that timely and actionable communication with those whose data has been compromised is crucial for maintaining consumer trust and minimizing the repercussions of such breaches.
In the context of the incident, several MITRE ATT&CK adversary tactics may have been employed, including initial access through exploiting web application vulnerabilities, privilege escalation to gain further access, and possibly lateral movement within the network to extract sensitive information. Businesses should remain vigilant against such tactics and ensure robust cybersecurity measures are in place to protect against potential breaches.
Image credit: Vladeep / Shutterstock.com
