GEICO and Travelers have agreed to pay a combined $11.3 million in fines following data breaches that exposed sensitive personal information of around 120,000 customers, according to the New York Attorney General’s Office and the Department of Financial Services (DFS).
New York Attorney General Letitia James and DFS Superintendent Adrienne Harris announced the settlements, which include a $9.75 million fine for GEICO and a $1.55 million fine for Travelers. Both companies were found to have insufficient cybersecurity protections in their online insurance quoting systems, leading to vulnerabilities exploited by hackers during an industry-wide cyberattack campaign.
“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” said James. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”
Details of the Breaches
According to officials, GEICO experienced repeated cyberattacks on its auto insurance quoting tools beginning in November 2020. Hackers exploited weaknesses in both GEICO’s consumer-facing website and its agents’ quoting tool, exposing data of approximately 116,000 New York residents. This information, which included driver’s license numbers, was later used to file fraudulent unemployment claims during the COVID-19 pandemic.
Travelers faced a separate breach in April 2021, when compromised credentials allowed hackers to access the company’s insurance agent portal. The breach, which exposed personal data of approximately 4,000 New Yorkers, went undetected for over seven months before being identified by a third-party provider. Investigators noted that the lack of multifactor authentication or similar controls made the portal vulnerable to exploitation.
Regulatory Failures
Both companies were found to be in violation of New York's DFS Cybersecurity Regulation, which mandates the implementation of policies, procedures and controls to safeguard consumer data. GEICO and Travelers failed to take adequate steps despite receiving industry alerts about ongoing cyberattacks, the consent orders revealed.
“DFS’s groundbreaking cybersecurity regulation establishes a vital foundation for ensuring the safety of sensitive consumer data and the resilience of financial institutions,” said Harris. “These enforcement actions reinforce the department’s commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats.”
Steps Forward
As part of the settlements, both insurers have committed to improving their cybersecurity measures. GEICO will conduct a comprehensive cybersecurity risk assessment, implement penetration testing, and develop an action plan to address vulnerabilities. Travelers will enhance its access controls, review its systems, and strengthen protections against unauthorized access to nonpublic personal information.
The DFS Cybersecurity Regulation, implemented in 2017 and updated in November 2023, has become a model for regulators nationwide. Since its adoption, DFS has issued more than $100 million in fines across 12 enforcement actions, reinforcing its role as a leader in financial cybersecurity.
Both GEICO and Travelers have pledged to cooperate with regulators and take proactive measures to prevent future breaches.
