Just two weeks ago the Empire State made a cool $20 million fining insurers for failing to submit paperwork on time. And now New York State Attorney General Letitia James has filed a lawsuit against National General and its parent company, Allstate Insurance, alleging that the companies failed to protect sensitive consumer data, leading to two major cyberattacks in 2020 and 2021. The lawsuit, announced on Monday for events that happened many years ago, claims that more than 165,000 New Yorkers had their personal information exposed due to security lapses.
According to the lawsuit, hackers exploited vulnerabilities in National General’s online quoting websites between August and November 2020. These sites, which allowed users to obtain auto insurance estimates, reportedly displayed full driver’s license numbers in plain text with minimal user input, making it easy for attackers to harvest sensitive information. The breach compromised the personal data of nearly 12,000 individuals, with over 9,100 of those affected residing in New York.
The Attorney General’s Office contends that National General failed to detect the attack for more than two months due to inadequate monitoring and weak cybersecurity defenses. Even after the breach was discovered, the company allegedly did not notify impacted consumers or relevant state agencies, as required under New York law. Furthermore, the lawsuit states that National General continued to operate another quoting website for independent insurance agents that left customer data similarly exposed.
Read more: NY slams insurers with $20 million in fines
In October 2020, the company experienced a second and even more significant cyberattack. This time, hackers targeted an independent agent portal, a system that National General was reportedly aware could be vulnerable. The breach affected the driver’s license numbers of more than 187,000 individuals, including approximately 155,000 New Yorkers. The company did not detect this second attack until January 2021.
Under New York State law, businesses that collect or store consumer data must implement robust security measures to prevent unauthorized access. The Attorney General’s Office argues that National General and Allstate violated these protections by failing to enact reasonable safeguards and by neglecting to alert affected consumers promptly.
Attorney General James, in a statement, underscored the severity of the company’s security failures. “National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” she said. “It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft, and my office will always hold those who fail to do so accountable.”
Read more: Allstate to acquire identity protection firm
The lawsuit seeks penalties against National General for its alleged failure to secure consumer data and comply with state notification requirements. It also seeks an injunction to ensure the companies address any ongoing security deficiencies.
Allstate, which acquired National General in early 2021, has defended its actions, stating that it promptly secured its systems after discovering the vulnerabilities. “We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed driver’s license numbers,” the company said in a statement. “We promptly notified regulators, contacted potentially affected consumers and offered free credit monitoring as a precaution.”
Read more: Good news: cyber demand growing. Bad news…
The lawsuit comes amid increased scrutiny of the insurance industry’s data security practices. In a separate regulatory action, the New York State Department of Financial Services (NYDFS) recently imposed more than $20 million in fines on multiple auto insurers for failing to report timely vehicle coverage data to the state’s Department of Motor Vehicles. That investigation, which penalized major insurers including WR Berkley, CNA, and Munich Re, underscored the state’s intensified focus on consumer protection and industry compliance.
New York regulators have also taken enforcement actions against other major insurers over cybersecurity lapses. In a recent case, Geico and Travelers were fined a combined $11.3 million after security weaknesses exposed sensitive customer information.
