Insurers Hit With $14.2M Fine For Data Heist

NEW YORK – Eight car insurance giants are shelling out a combined $14.2 million after New York Attorney General Letitia James exposed their shockingly lax data security. The companies allowed hackers to pilfer the personal information – driver’s license numbers, dates of birth – of over 825,000 New Yorkers, a treasure trove quickly exploited for fraudulent unemployment claims during the pandemic.

The investigation, a joint effort by the Attorney General’s Office (OAG) and the New York State Department of Financial Services (DFS), revealed a pattern of negligence. These weren’t sophisticated hacks; they were opportunistic grabs facilitated by companies failing to implement basic data protections. The OAG found the companies were utilizing a dangerous “pre-fill” function on their online quote tools. Enter a name and birthdate, and the system would auto-populate fields with sensitive data sourced from data brokers – driver’s license numbers and more – all without adequate safeguards.

“New Yorkers pay hundreds of dollars in car insurance each month. When they go searching for a cheaper option, they should not have to worry that their private information could be stolen,” Attorney General James stated bluntly. “These eight car insurance companies had poor cybersecurity that allowed hackers to easily steal New Yorkers’ personal information and use some of the information for fraud. I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumers.”

The companies facing penalties include American Family Mutual Insurance Company/Midvale Indemnity Company, Farmers Insurance, Hagerty Insurance Agency, The Hartford Insurance Group, Infinity Insurance Company, Liberty Mutual Insurance, Metromile, and State Auto Mutual Insurance Company. Each enabled online quote tools, some even offering agent-accessible versions, creating multiple vulnerabilities. The OAG specifically targeted the “pre-fill” function, finding companies failed to secure this data, essentially handing it over on a silver platter to anyone who knew where to look.

This isn’t a one-off bust. Attorney General James previously secured $6.5 million from four other car insurance companies for similar failures, bringing the total recovered to $20.79 million from ten insurers. Affected New Yorkers will receive one year of free credit report monitoring, a small consolation for the potential long-term fallout of identity theft. The OAG is urging all companies to heed their guidance on data protection, but the question remains: will these settlements be enough to force real change, or just another slap on the wrist for corporations prioritizing profit over privacy?

The investigation continues, and Attorney General James has vowed to pursue further action against any organization that puts New Yorkers’ personal data at risk. The OAG’s message is clear: lax security isn’t just bad business, it’s a crime, and they will be held accountable.