Allstate and several of the insurance company’s subsidiaries were accused of poor security practices resulting in data breaches in 2020 and 2021 that exposed sensitive data on nearly 200,000 people, the New York State Attorney General office said in a lawsuit filed Monday.
National General, an insurance company Allstate acquired for $4 billion in 2021, failed to notify almost 12,000 people their driver’s license numbers were compromised in an attack that went undetected for more than two months until late 2020, prosecutors allege.
Months later, as Allstate closed its acquisition of National General, the company’s auto insurance quoting tool for independent agents was targeted in a larger attack, exposing driver’s license numbers of 187,000 people, according to the lawsuit.
“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” New York Attorney General Letitia James said in a statement. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen.”
Prosecutors allege the back-to-back data breaches were “remarkable in scale because the company made it easy for bad actors.”
National General is accused of intentionally building its online quote tools to populate full driver’s license numbers in plain text during the quoting process. National General left this process unchanged on its quoting site for independent agents after it remediated the first breach, according to the lawsuit.
“We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed driver’s license numbers,” Ben Corey, communications manager at Allstate, said in a statement. “We promptly notified regulators, contacted potentially affected customers and offered free credit monitoring as a precaution.”
New York’s lawsuit against Allstate and its subsidiaries is the state’s latest effort to hold insurance companies financially accountable for what it describes as poor data security. In November, state prosecutors and the New York State Department of Financial Services secured $9.75 million from Geico and $1.55 million from Travelers for cyberattacks on their quoting tools that exposed driver’s license numbers in 2020 and 2021.
