API Security , Finance & Banking , Industry Specific
New York Fines Geico, Travelers $11.3M for Data Breaches
Fines Tied to Wave of 2021 Driver's License Number TheftNew York state authorities fined auto insurance giant Geico $9.75 million for failing to protect customers' driver's license numbers during a wave of cyber incidents in early 2021.
See Also: Bank on Seeing More Targeted Attacks on Financial Services
Travelers will also pay $1.55 million after hackers used stolen credentials to filch license numbers in mid-2021.
Incidents at both companies involved hackers triggering internal systems to send unencrypted data, found investigators at the New York Department of Financial Services, which assessed the fines alongside the office of the state attorney general. Hackers used the stolen license numbers while filing fraudulent unemployment claims during the novel coronavirus pandemic (see: Geico Says Driver's License Numbers Stolen From Website).
Hackers began exploiting Geico systems in Jan. 2021, at first using the auto-underwriter's online tool to obtain quotes, investigators said. At the time, Geico used a third-party form pre-fill provider to supply prospective customers' full license numbers after receiving data such as their name, address and date of birth.
After discovering the hack, Geico ceased that practice - but hackers regrouped to obtain license numbers after discovering that the underwriter's auto-claims website transmitted license numbers in a claim receipt message. Hackers used stolen identities and fabricated bank account details to establish new accounts, promptly filing a claim to obtain the license number, sent as unredacted plain text.
Geico again modified its systems, leading to another threat actor innovation. Hackers found they could access an API used by insurance agents that was exposed in the source code of the Geico auto insurance purchase page. Investigators said "there was no reason" for the code to be publicly exposed. Sometime in February, hackers learned to automate API queries, resulting in between 10,000 and 25,000 stolen customer records per day between Feb. 24, 2021, and March 1, 2021. The insurer didn't detect the attack until it received an extortion demand from hackers - and a separate message from an individual who told Geico he had a personal falling out with the threat actors. That individual walked the company through how attackers stole data and how to prevent the attack.
A Geico spokesperson in a prepared statement said the insurer self-reported the incidents to New York authorities and has since "made improvements to its systems to prevent additional exploitation by these fraudsters."
The data breach at Travelers likewise involved driver's license numbers delivered in plain text to a portal used by independent insurance agents. Threat actors used compromised login credentials to access the portal in April 2021, in an attack authorities said Travelers learned about in November after notification from its third-party prefill data provider.
A Travelers spokesperson stressed that the incident involved "the stolen credentials of a limited number of independent agents" and added that "it is important to note that Travelers' internal systems were not impacted by this incident."
Consent orders signed by both insurers commit the firms to strengthening their cybersecurity programs, including maintaining an inventory of private information and ensuring that the data is protected.
"Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously," said New York Attorney General Letitia James.