Description

The New York Attorney filed a lawsuit against multiple insurance companies that allegedly failed to protect the personal information of New York drivers from being compromised in cyberattacks. The timeline of the events involving the breach incidents is as follows:

  • August 2020 – The first attack against the National General insurance company
  • October 2020 – A second attack takes place
  • November 2020 – The first attack is identified by National General
  • January 4, 2021 – Allstate acquires National General for $4 billion
  • January 28, 2021 – The second attack is identified
  • February 2021 – Allstate discloses the first attack and manages to stop the attacks after implementing security changes
  • March 2021 – Allstate reports the incident to the Office of Attorney General
  • April 2, 2021 – Allstate notifies New York state residents about the breaches

The two breaches combined exposed the driver’s license numbers of more than 165,000 New Yorkers.

Details of the Attack

The attackers exploited National General’s online auto insurance quote tools, which were accessible to both consumers and independent agents selling National General insurance. The tools automatically displayed full driver’s license numbers (DLNs) in plain text during the quoting process, not just for the primary user but also for all drivers at the same address. This exposed sensitive information, making it an easy target for attackers who exploited this vulnerability to access numerous DLNs of New Yorkers.

 

Basis of the Case

The New York Office of the Attorney General (OAG) alleges that National General failed to implement adequate data security measures, both before and after Allstate took control of its data security operations. The AG claims that National General’s initial inaction and failure to notify impacted consumers directly enabled a subsequent cyberattack. The lawsuit cites violations of multiple regulatory sets including the New York’s data breach notification law, state consumer protection statutes and The Gramm-Leach-Bliley Act (GLBA) safeguards requirements.

 

Call to Action

This incident serves as a case study for the state of cybersecurity today on multiple fronts. It highlights the need for thorough vetting of acquisition or merger targets, as the consequences of security incidents and undiscovered vulnerabilities come with significant financial and reputational costs.

The incident highlights the growing complexity of cybersecurity regulations put forward by states across the country. As new compliance mandates continue to emerge, businesses must stay informed and proactive in adapting their security policies to avoid non-compliance penalties. Establishing a compliance monitoring strategy ensures that organizations meet evolving legal and industry standards.

From a cybersecurity standpoint, the incident shows the importance of masking sensitive information. In this case, masking driver’s license numbers during the quoting process would have prevented them from being exposed in plain text and reduced the chance of a breach. Conducting regular security audits to identify vulnerabilities in the system could have helped detect and fix weaknesses before they were exploited.

 

READ MORE HALOCK BREACH BULLETINS