Lawsuit: Allstate subsidiary handed over data on a silver platter

The suit notes that the New York State Department of Financial Services (DFS) believed the attacks on National General to be part of a “systematic and aggressive campaign… to steal nonpublic information.” DFS warned that driver's license data can be used in several kinds of fraud, including that involving identity theft and government benefits fraud. In this case, DFS warned that the information stolen from the quoting tools of auto insurance companies would be used to submit fraudulent claims for pandemic and unemployment benefits.

In the court filing, the state outlines the aftermath of the attacks on National General:

“The incidents at National General were remarkable in scale because the company made it easy for bad actors. The first attack was on a pair of consumer-facing websites that allowed users to obtain auto insurance policy quotes, which National General had intentionally designed to expose consumers’ private information with little prompting. Attackers discovered these weaknesses and used computer programs known as “bots” to harvest consumers’ DLNs from the websites with significant speed. Because National General had not instituted tools to meaningfully block such automated attacks or sufficiently monitor for potentially malicious activity, National General did not detect these attacks for over two months, until November 2020. In that period, the DLNs of almost 12,000 consumers, including more than 9,100 New Yorkers, were compromised.”

The suit alleges that in the wake of the first breach, National General violated state data breach notification laws by not alerting affected New Yorkers or any other relevant New York agencies. This, they say, prevented these customers from being able to take prompt action to protect themselves from potential repercussions of the attack. It also delayed state agencies’ ability to quickly investigate the breach.

The suit continues:

“Worse yet, even after it remediated the first breach, National General left consumers’ entire DLNs fully exposed on the online auto insurance quoting tool it made available to its network of independent agents. Attackers, predictably, targeted the agent quoting tool in a second, far larger breach that compromised an additional 187,000 consumers’ DLNs, including the DLNs of approximately 155,000 New Yorkers.”

The State of New York seeks the following judgment in this case:

• Permanently enjoining the defendants from violating the laws of the state of New York, including GBL §§ 899-aa, 899-bb, 349, and 350, and Executive Law § 63(12);
• Directing National General to pay a civil penalty of $20 for each knowing or reckless violation of GBL § 899-aa, pursuant to GBL § 899-aa(6);
• Directing the defendants to properly notify each New York state resident whose private information was acquired without authorization;
• Directing Defendants to pay a civil penalty of $5,000 for each violation of GBL Article 22-A, pursuant to GBL § 350-d;
• Directing such other equitable relief as may be necessary to redress Defendants’ violations of New York law;
• Awarding the plaintiff costs of $2,000 per Defendant pursuant to CPLR § 8303(a)(6); and
• Granting such other and further relief as the Court deems just and proper.

Related:

• GEICO sues pharmacy for alleged abuse of no-fault system
• Ga. jury returns $12M verdict against insurer for 'missteps'
• New York State sued over new climate change law