Insurance giant Allstate is set to face civil charges after falling victim to a pair of data breaches.New York State Attorney General Letitia James filed suit against Allstate and its affiliated companies on charges of failing to protect customer data when estimating car insurance quotes.In the suit, James alleged that Allstate and National General Insurance violated state law by failing to secure customer data and then failing to notify customers following a pair of data breaches.The incidents in question occurred in 2020 and 2021, and exposed the data of 165,000 people in New York state. The exposed information included customer driver’s license numbers (DLN), something considered personal private information.“In those breaches, bad actors targeted online auto insurance quoting tools that National General made available to consumers and independent agents who sold National General insurance,” the AG’s office said in the filing.“These tools were intended to provide consumers, either on their own or through an agent, with a fast quote for auto insurance. However, National General intentionally built these tools to automatically populate consumers’ entire DLNs in plain text — in other words, fully exposed on the face of the quoting websites — during the quoting process.”According to the AG’s office, the issue stems from the way Allstate and National General ran the website tasked with providing perspective customers with quotes on their insurance rates.It is alleged that the company was all to happy to collect DLN and other personal information from visitors, but failed to adequately encrypt and secure those databases from outside attackers.After suffering the first attack in 2020, the company is alleged of not only failing to notify authorities, but also of leaving open the avenues of attack, which eventually enabled a subsequent attack in 2021.“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” James said in announcing the suit against Allstate and National General.“National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen. It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft, and my office will always hold those who fail to do so accountable.”While the suit is limited to those within New York state, the legal action would likely have ramifications across the country due to New York being a hub of corporate activity. The state’s legal actions tend to set a precedent for other states to file their own actions and spur companies to roll out widespread remediation plans.James has been particularly active in prosecuting companies that have allowed data breach incidents. The AG has extracted fines from Geico and PayPal for failing to secure customer data from threat actors.
