ATTORNEY GENERAL JAMES SECURES $14.2 MILLION FROM CAR INSURANCE COMPANIES OVER DATA BREACHES

The following information was released by the office of the New York Attorney General:

New York Attorney General Letitia James today secured $14.2 million from eight car insurance companies for failing to protect the private information of more than 825,000 New Yorkers. The data breaches were part of a hacking campaign that targeted car insurance companies' quoting tools and stole people's personal information, including driver's license numbers and dates of birth. The hackers later used some of the stolen driver's license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic.

An investigation by the Office of the Attorney General (OAG) and the New York State Department of Financial Services (DFS) concluded that the car insurance companies did not implement reasonable data security controls to protect consumers' private information. Today's settlements require all eight companies to pay penalties and significantly improve their data security. Affected New Yorkers were offered free credit report monitoring for one year. Attorney General James previously secured $6.5 million from four other car insurance companies for also failing to protect New Yorkers' data. To date, Attorney General James has secured a total of $20.79 million from 10 auto insurance companies. Attorney General James encourages companies to followguidance provided by her office to protect consumers' personal data.

"New Yorkers pay hundreds of dollars in car insurance each month. When they go searching for a cheaper option, they should not have to worry that their private information could be stolen," saidAttorney General James. "These eight car insurance companies had poor cybersecurity that allowed hackers to easily steal New Yorkers' personal information and use some of the information for fraud. I thank the Department of Financial Services and the Department of Labor for their partnership and continued work to hold companies accountable when they fail to protect consumers."

The car insurance companies involved in today's settlements are: American Family Mutual Insurance Company/Midvale Indemnity Company, Farmers Insurance, Hagerty Insurance Agency, The Hartford Insurance Group, Infinity Insurance Company, Liberty Mutual Insurance, Metromile, and State Auto Mutual Insurance Company.

These companiesallowed people to obtain a car insurance price quote using an online tool. Some of the companies also provided password protected tools to insurance agents to generate quotes for customers.

The OAG's investigation found that data thieves were able to exploit a "pre-fill" function in the companies' online quoting tools. After limited private information about an individual was entered through an online quoting tool, the company would "pre-fill" the form with private information purchased from data brokers. The purpose of "pre-fill" was to insert information the user might not have on hand and make filling out the form easier. For example, by entering limited information into the tool, such as a person's full name and date of birth, the other fields on the tool were pre-populated, such as an individual's driver's license numbers and similar information about other drivers in their household. The OAG found that the car insurance companies did not take reasonable steps to protect pre-fill private information. The attacks on these eight companies exposed the private information of over 825,000 New Yorkers. Some of the exposed data was later used to file unemployment claims during the COVID-19 pandemic.

The OAG's investigation revealed that several companies suffered more than one attack, did not have common security tools in place to prevent and detect attacks, and/or did not use multifactor authentication to protect agent account credentials. Key findings from the investigations include:

Farmers Insurance experienced three different attacks, exposing the private information of approximately 45,000 New Yorkers. After the first attack, Farmers did not identify similar vulnerabilities in additional tools that were also exploited.

American Family Mutual Insurance Company / Midvale Indemnity Company each exposed the private information of approximately 100,000 New Yorkers. The companies mistakenly exposed the majority of these records after a transition between two security systems. The companies did not create a comprehensive protected data inventory before that transition and did not reasonably test the attacked tools after that transition.

State Auto Mutual Insurance Company exposed the private information of over 100,000 New Yorkers. State Auto's quote tools were not protected by common security tools that monitor and detect suspicious patterns, such as excessive requests from the same user or multiple requests by the same user from different IP addresses.

Metromile exposed the private information of approximately 90,000 New Yorkers in a single attack that was not detected for two months. Metromile did not use common security tools to prevent and detect attacks.

Liberty Mutual Insurance experienced attacks on three different consumer quote tools, exposing the data of approximately 50,000 New Yorkers. The attacked tools had not been subject to a privacy assessment and they were not protected by common security tools.

The Hartford Insurance Group experienced two attacks that impacted approximately 30,000 New York consumers. While The Hartford maintained information security policies to protect consumer data, these policies were not implemented effectively.

The Hagerty Insurance Agency experienced two attacks that exposed the private information of approximately 66,000 New Yorkers. While Hagerty detected unusual activity on its consumer quote tool website, Hagerty did not immediately identify it as an attack on exposed private information.

The Infinity Insurance Company experienced three attacks. Data thieves accessed approximately 65,000 New Yorkers' private information through a consumer quote tool and the information of approximately 180,000 New Yorkers through two password protected agent quoting tools. Infinity did not use multifactor authentication to protect its agent tool credentials at the time of the attacks.

Today's settlements require these companies to significantly enhance their data security and pay penalties, in the following amounts:

American Family Mutual Insurance Company/Midvale Indemnity Company will pay $2.8 million;

Farmers Insurance will pay $1.3 million;

Hagerty Insurance Agency will pay $1.3 million;

Infinity Insurance Company will pay $2 million;

The Hartford Insurance Group will pay $815,000;

Liberty Mutual Insurance will pay $2 million;

Metromile will pay $2 million; and

State Auto Insurance will pay $2 million.

In addition to the penalties, the companies are required to adopt a series of measures to strengthen their cybersecurity practices, including:

Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;

Developing and maintaining a data inventory of private information and ensuring the information is protected;

Maintaining reasonable authentication procedures for access to private information;

Maintaining a logging and monitoring system as well as reasonable policies and procedures designed to properly configure systems to alert on suspicious activity; and

Enhancing their threat response procedures.

Today's settlements are the latest effort by Attorney General James to hold companies accountable for having poor cybersecurity. In March 2025, Attorney General Jamessued Allstate Insurance for failing to protect New Yorkers' information, causing more than 165,000 New Yorkers' information to be exposed. In November 2024, Attorney General James and Department of Financial Services Superintendent Adrienne Harrissecured $11.3 million from GEICO and Travelers for having poor data security. In October 2024, Attorney General Jamessecured $2.25 million from a Capital Region health care providerfor failing to protect the private information and medical data of New Yorkers. In July 2024, Attorney General James launched two privacy guides,a Business Guide to Website Privacy Controlsanda Consumer Guide to Tracking on the Webto help businesses with and consumers protect their data online.

This matter was led by Assistant Attorneys General Gena Feist and Laura Mumm, and former Assistant Attorneys General Hanna Baek and Ezra Sternstein, Data Security Analyst Nishaant Goswamy, and former Internet and Technology Analyst Joe Graham, under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger of the Bureau of Internet and Technology. Data analysis was provided by Data Analyst Casey Marescot and Data Scientist Blythe Davis, under the supervision of Deputy Director Gautam Sisodia, Director Victoria Khan, former Deputy Director Megan Thorsfeldt, and former Director Jonathan Werberg of the Research and Analytics Department. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D'Angelo and overseen by First Deputy Attorney General Jennifer Levy.