Investigators found the insurers were missing key security controls, like multi-factor authentication. (Credit: Sergey Nivens/Adobe Stock)

Eight auto insurers will pay $19 million in fines to the state of New York for cybersecurity violations.

According to Adrienne A. Harris, the state’s Department of Financial Services superintendent, the companies had inadequate security in place, allowing data breaches that exposed the private information of more than 825,000 people.

The insurers affected and their fines include:

  • Farmers ($2.77 million)
  • Hagerty Insurance Agency ($1.85 million)
  • Hartford Fire Insurance Company ($3 million)
  • Infinity Insurance Company ($2.25 million)
  • Liberty Mutual ($2.7 million)
  • Metromile Insurance Company ($2 million)
  • Midvale Indemnity Company ($2 million)
  • State Automobile Mutual Insurance Company ($2.5 million)

“DFS’s first-in-the-nation cybersecurity framework has become a model for safeguarding the integrity of our financial system and the personal information of millions of New Yorkers,” Harris said in a statement. “Today’s actions demonstrate the Department’s unwavering commitment to holding institutions accountable when they fail to meet these robust standards, and to ensuring that consumers remain protected from data breaches and other cyber risks.”

The penalties are due to a series of data breaches in which hackers used online auto insurance quoting tools to steal customer information. The hackers could enter names and addresses, and the tools would auto-populate information like driver’s license numbers, vehicle identification numbers, dates of birth and more. The hackers were able to access both public-facing web applications as well as private password-protected agent portals to use the quoting tools.

According to New York investigators, the hackers then used that information to file fraudulent unemployment claims during the pandemic.

The investigators found that the insurers didn’t have proper data security controls in place, like multi-factor authentication or tools that could monitor and detect suspicious patterns, like multiple requests from the same user. In addition to paying the fines, the companies will also be required to make changes to their cybersecurity processes.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.