NEW YORK – New York Attorney General Letitia James has secured $975,000 in penalties from Root, an auto insurance company, for failing to protect the personal information of approximately 45,000 New Yorkers. The data breach was part of an industry-wide campaign to steal consumers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications. The data thieves then used some of the stolen driver’s license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic. Root does not offer insurance in New York, but the company’s security failures allowed scammers to gain access to New Yorkers’ driver’s license numbers and personal information. Attorney General James recently secured $5.1 million from GEICO and Travelers, as well as $500,000 from Noblr, for also failing to protect New Yorkers’ data. Today’s settlement brings the total amount secured from auto insurance companies for their failure to protect New Yorkers’ data to $6.57 million.
“When companies have poor data security practices, they put individuals at risk of identity theft and other fraud,” said Attorney General James. “Auto insurance companies need to make sure that the systems they use to store people’s data are protected to prevent cybercriminals from stealing driver’s license numbers, Social Security numbers, and other private information. Today’s settlement should send a message to companies in the auto insurance industry that my office will take action to protect New Yorkers’ private information.”
Root is an insurance company that allows consumers to obtain a price quote through its website. After limited personal information was entered, the online quoting tool “pre-filled” personal information such as driver’s license numbers. Root’s system exposed full, plaintext driver’s license numbers in a PDF generated at the end of the auto quote process…