N.Y. AG files complaint in Allstate data breach

By Doug Bailey

In yet another sign that insurers are facing increased scrutiny over the safeguarding of policyholder information, the New York Attorney General has accused Allstate Insurance Company and its affiliates of failure to build proper data security protection and notify its customers of serious data breaches.

The 60-page complaint filed Monday by AG Letitia James says Allstate-owned company National General Holding Company built a policy quotation website that was so porous and unsecured it allowed internet hackers in two separate attacks to easily obtain drivers’ license numbers (DLNs) and other personal information of hundreds of thousands of consumers. Moreover, according to the complaint, National General delayed for months notifying customers and regulators of the breaches, as required by law.

Company 'made it easy for bad actors'

“The incidents at National General were remarkable in scale because the company made it
easy for bad actors,” says the complaint. “The first attack was on a pair of consumer-facing websites that allowed users to obtain auto insurance policy quotes, which National General had intentionally designed to expose consumers’ private information with little prompting. Attackers discovered these weaknesses and used computer programs known as “bots” to harvest consumers’ DLNs from the websites with significant speed.”

The attacks went undetected for more than two months, until November of 2020, by which time information of nearly 12,000 consumers were exposed. Even after that problem was fixed, the AG complaint says, the insurer was victimized by a second larger attack on its agents quoting tool that compromised an additional 187,000 consumers.

“While the specific source of the breaches was National General’s design and release of
several insecure websites, the broader cause of the incidents was National General’s
prioritization of profit over the implementation of reasonable data security safeguards,” the New York State complaint says.

Although the data attacks occurred before Allstate acquired National General (formerly GMAC Insurance Group) in 2021 for $4 billion, the company’s data security still fell below the standard required by New York state law, the complaint says.

Allstate says problems remediated

For its part, Allstate says this is old news and the problems were long ago remediated.

“We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed driver's license numbers,” Allstate said in a statement. “We promptly notified regulators, contacted potentially affected consumers, and offered free credit monitoring as a precaution.”

The original problem was due to the poor design of its policy quotation web tools, which were intended to provide consumers with a fast quote for auto insurance. But, according to the complaint, National General intentionally built the tools to automatically populate the DLNs of not just the person entering their name and address, but of all drivers identified as living at that consumer’s address.

“DLNs are valuable to bad actors because they can be used for many forms of fraud,
including identity theft and government benefits fraud,” the AG said. “Indeed, according to the New York State Department of Financial Services (DFS”), the attacks on National General’s websites appeared to have been part of a ‘systemic and aggressive campaign . . . to steal nonpublic information.’”

The suit against Allstate, which asks for injunctive relief and civil penalties of up to $5,000 for each individual violation, follows by days action by the DFS against three dozen auto insurers for misappropriating driver policy information, fining them a total of $20 million for failing to timely report new and terminated policies.

N.Y. case may set precedent for data breach cases

Some attorneys and analysts contend the New York cases might set precedents in how data breaches are dealt with legally and the level of responsibility corporations have in safeguarding private consumer information.

“I expect that car insurers and other third parties in their broader orbit are going to be in for a lot of scrutiny in the years ahead because of their data collection and sharing practices,” said Peter Jackson an attorney in the intellectual property group at the firm of Greenberg Glusker. “There’s an increased focus and scrutiny on insurers and the role that they play in data sharing and transfer because they want as much data as they can get to be able to set rates. And much of the information that they want is often protected by consumer privacy laws.”

Jackson points out that in many cases it’s not the insurer itself collecting the data but third party companies or even electronic devices attached to the policyholders’ automobile.

“And there are data clearinghouses that are kind of in between,” he said. “LexisNexis has an arm that is basically directed towards amassing all of this data and then licensing it out.”

Indeed, in the Allstate case, the name and address provided by the user would be automatically populated on a Driver Details” page within the consumer quoting tool using a process referred to as “prefill.” With prefill, the consumer quoting tool then queried National General’s third-party data provider, LexisNexis Risk Solutions, for driver and vehicle information associated with the entered name and address. The tool then automatically displayed the results it received from Lexis, including the name of the consumer whose information had been entered by the user, the entire DLN of that consumer, the names of any other drivers identified as potentially living at that consumer’s address, and the entire DLNs of those other drivers.

“National General designed the consumer quoting tool so that all of this information would appear in plain text—i.e., fully exposed—to the user of the tool,” reads the complaint. “In effect, if a user of the consumer quoting tool entered a consumer’s name and address, the tool would automatically populate the quoting screens with the fully visible names and DLNs of all drivers identified as living at the consumer’s address without any sort of authentication that the user was entitled to view the information.”