The Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company on Nov. 25 agreed to pay $11.3 million in fines for having poor data security that led to the compromise of the personal information of more than 120,000 New York residents.
GEICO will pay $9.75 million in penalties in a case that affected 116,000 New Yorkers, while Travelers agreed to pay $1.55 million for not protecting the sensitive information of 4,000 state residents.
The fines were part of a settlement reached by New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris.
According to Attorney General James, the events surrounding the two auto insurance companies were part of an industrywide campaign by hackers to steal the personal information of consumers, including driver’s licenses numbers and dates of birth from the online auto insurance quoting apps managed by GEICO and Travelers. The GEICO hack started in November 2020, while the height of the attack on Travelers ran from January to April 2021.
In the GEICO case, despite notifications from DFS of the cyberattacks, the state claimed that GEICO failed to respond and implement appropriate security controls. The hackers then used the driver’s license information to file fraudulent unemployment claims during the COVID-19 pandemic. Travelers did not detect the breach of its agent portal for more than seven months and was alerted to the attack by a third-party prefill data provider.
The AG’s investigation concluded that the auto insurance companies did not implement sufficient data security controls to protect the private information of consumers. The DFS investigation concluded that the auto insurance companies did not comply with DFS’s cybersecurity regulation that requires them to implement policies, procedures, and controls designed to protect consumer data and the financial institutions themselves.
As part of the settlement, both GEICO and Travelers agreed to adopt the following cybersecurity best practices:
- Maintain a comprehensive information security program to protect the security, confidentiality and the integrity of private information.
- Develop and maintain a data inventory of private information and ensure the information is protected by safeguards.
- Maintain reasonable authentication procedures for access to private information.
- Maintain a logging and monitoring system, as well as reasonable policies and procedures designed to properly configure such systems to alert on suspicious activity.
- Enhance the company’s threat response procedures.
When breaches result in real-world consequences
The settlements with Geico and Travelers highlight how cybersecurity lapses can lead to real-world consequences for both organizations and the individuals whose data they are entrusted to protect, said Anne Cutler, cybersecurity evangelist at Keeper Security. Cutler said in both instances, attackers exploited known weaknesses — whether through the lack of multi-factor authentication (MFA) or vulnerabilities in auto quoting tools — resulting in breaches that could have been mitigated with relatively standard security measures.
“These cases reflect a broader challenge many companies face: how to stay ahead of sophisticated cyber threats while balancing operational and financial priorities,” said Cutler. “However, the stakes are simply too high to treat cybersecurity as an afterthought. Regulatory penalties like these emphasize the importance of proactive measures — not only to comply with laws but to safeguard trust and meet the ethical obligations of managing sensitive data. Companies must regularly audit their data to ensure compliance and minimize unnecessary data retention to reduce the risk of exposure.”
Venky Raju, Field CTO at ColorTokens, added that the lack of strong consumer privacy protections in the United States certainly disincentivizes cybersecurity investments. Raju said the fines paid out by breached businesses in the recent months has been in the range of $10-100 per consumer, with the individual user getting at best free credit monitoring for a year.
“It will take more significant per-user penalties for businesses to prioritize cybersecurity investments for data breach prevention and reporting,” said Raju. “It should be noted that cybersecurity investments are increasing every year. However, the fact that data breaches are also increasing suggests that the products and solutions being deployed are not effective and we need to find better ways to make the enterprise breach-ready. Businesses must immediately adopt a zero-trust architecture and start implementing technologies like ZTNA, microsegmentation and passwordless authentication.”
