Insurance giants Geico and Travelers have been fined more than $11 million by New York state regulators over a data leak in 2020 that exposed the driver’s license numbers of about 120,000 New Yorkers. 

Hackers used the stolen driver’s license numbers to file fraudulent unemployment benefit claims in New York state, pilfering thousands of dollars at the height of the COVID-19 pandemic. 

New York Attorney General Letitia James and New York State Department of Financial Services Superintendent Adrienne Harris hit both companies with penalties for having “poor data security” which allowed the sensitive information to be exposed. 

Auto insurance companies maintain websites to provide insurance quotes to potential customers and the sites typically have features that automatically fill in applications after people enter their names or address. Companies like Geico and Travelers work with third party data brokers to provide the information as a way to expedite insurance purchases — automatically pulling up a person’s driver’s license number or vehicle identification number that someone may not have on hand. 

In November 2020, hackers began targeting Geico’s applications using the pre-fill function to access the driver’s license numbers of more than 116,000 New Yorkers. More than a month later, Geico discovered a spike in the number of applications that were being pre-filled but not completed.

By January 2021, Geico instituted a new measure in an effort to mask driver’s license numbers and the company’s cybersecurity team began a review, searching the dark web for evidence that hackers had been stealing and compiling the numbers. 

They found cybercriminals discussing breaching Geico’s system and stealing driver’s license numbers. In some instances, hackers were purchasing policies and filing fraudulent claims to gain access to customers' driver's licence numbers. Geico discovered that hackers then found another way to get access to the numbers through its Application Programming Interface (API).

In February 2021, the company reported the incident to the New York Attorney General’s office but several regulators in New York state warned Geico that its systems were still exposed. 

"Despite being aware of threat actor discussions on how to exfiltrate [driver’s license numbers] from Geico, experiencing at least two different attacks on its consumer quoting tool to extract [driver’s license numbers] and receiving repeated alerts from DFS corroborating a 'systemic and aggressive campaign' to steal [driver’s license numbers] and warning of the threat actors' continuously evolving tactics and discovery of additional points of exposure, Geico did not correctly identify activity on its API endpoints as threat actors exfiltrating [driver’s license numbers],” regulators said. 

It took Geico another month to fully address all of the security loopholes being exploited by the hackers. In total, the hackers stole 135,414 driver's license numbers, about 116,611 of which belong to New York residents. 

The attorney general’s office said these stolen numbers were "used in fraudulent unemployment claims filed with the New York State Department of Labor.” 

“Although the Department of Labor identified many of these fraudulent claims prior to issuing any payments, thousands of fraudulent claimants receive at least some amount of unemployment benefits issued in the name of the victims of the attacks,” officials said. 

As part of the settlement, Geico has to implement a data security program, hire someone to monitor the program and report on the program’s efficacy annually. In 60 days, both companies have to develop an inventory of all the systems handling customer information and create guidelines on how they will be protected. 

Travelers operates a similar system but hackers targeted one that is provided to independent insurance agents. While it required a username and password, Travelers did not require multi-factor authentication. 

The New York State Department of Financial Services (DFS) sent several warnings to the company explaining that hackers were targeting the instant quote application in 2020. 

Travelers only began investigating the incident in November 2021, finding that multiple insurance brokers had accounts that had been breached. In total, the hackers accessed 88,858 customer driver's license numbers, 3,912 of which were from New Yorkers. 

As with Geico, the numbers were used to file fraudulent unemployment benefit claims. 

Both the Office of the Attorney General (OAG) and DFS issued separate fines to each company. Geico will pay $4.75 million to the OAG and $5 million to DFS while Travelers will pay $350,000 to OAG and $1.2 million to DFS. 

Both companies will also have to abide by other security measures, including regular penetration tests and system reviews. 

This is the latest action taken by James’ office after several large fines penalizing companies that did not do enough to protect consumer information. In January, she made a healthcare provider invest more than $1.2 million on cybersecurity after a 2021 ransomware attack exposed the sensitive information of more than 250,000 people. 

Last year, she used other settlements to force a local college to invest $3.5 million into cybersecurity after a 2021 data breach leaked troves of sensitive information about almost 200,000 people.