Major U.S. auto insurance provider Geico and leading commercial property-casualty insurer Travelers have been ordered by New York state regulators to pay $9.75 million and $1.55 million, respectively, for cybersecurity gaps leading to separate widespread breaches of driver's license numbers later leveraged for fraudulent unemployment benefit claims during the COVID-19 pandemic, according to The Record, a news site by cybersecurity firm Recorded Future.
More than 116,000 New York residents had their driver's license numbers compromised from Geico's systems following the exploitation of its apps' pre-fill functionality and Application Programming Interface, as well as fraudulent policy purchases and claims filing, beginning November 2020, with the insurer only resolving its systems vulnerabilities by March 2021, said regulators. On the other hand, Travelers had driver's license numbers from 3,912 New Yorkers stolen following an attack against a system leveraged by its independent insurance agents, which did not have multi-factor authentication. Such fines for both insurers, which have also been required to adopt scheduled system reviews and penetration testing activities, come after the New York Office of the Attorney General sought an over $1.2 million cybersecurity investment from a ransomware-hit healthcare provider.
