Geico and Travelers Cos. Inc. have agreed to pay a combined $11.3 million in penalties following data breaches that exposed the personal information of over 120,000 New York residents. These breaches were part of settlements with the New York Department of Financial Services (DFS) and the state attorney general.
Geico’s breach occurred in November 2020 when hackers accessed its online quoting tools, exposing sensitive data like driver’s license numbers.
The breach was due to inadequate backend security and vulnerabilities in the quoting platform. Geico will pay $9.75 million and commit to improved cybersecurity measures, including comprehensive risk assessments and penetration testing.
Travelers faced a 2021 breach in which hackers used stolen credentials to access its agent portal, lacking multifactor authentication.
This breach compromised the data of about 4,000 individuals, and it took Travelers seven months to detect it. The company will pay $1.55 million and strengthen its access controls to prevent future breaches.
These enforcement actions highlight the importance of robust cybersecurity protocols, especially for companies handling consumer financial information, to protect against cyber threats.