New York Attorney General Letitia James has filed a lawsuit against National General and Allstate Insurance Company for failing to protect New Yorkers’ personal information from cyberattacks. The lawsuit comes after two consecutive data breaches in 2020 and 2021, which exposed the driver’s license numbers of more than 165,000 New Yorkers.
James said that National General failed to notify affected consumers after the first breach, leaving its systems vulnerable to a second, even larger, breach months later. Attorney General James argues that both breaches were the result of weak cybersecurity protections and a failure to take corrective measures after the first incident.
Data breaches, cybersecurity failures
In 2020, cybercriminals exploited vulnerabilities in National General’s online auto insurance quoting websites. The sites were designed to display full driver’s license numbers with minimal input, making it easy for hackers to extract private information.
The first breach affected two public-facing websites and exposed the driver’s license numbers of nearly 12,000 individuals, including more than 9,100 New Yorkers. Due to poor monitoring and a lack of protection against automated cyberattacks, National General failed to detect the breach for two months.
Even after discovering the breach, National General did not notify affected consumers or take adequate security measures to prevent further cyberattacks. As a result, hackers targeted a separate quoting system used by independent insurance agents, leading to a second breach in February 2021.
This second cyberattack compromised the personal information of 187,000 consumers, including approximately 155,000 New Yorkers. By this time, Allstate had already acquired National General and taken over its cybersecurity operations, yet the data security failures continued.
“Insurance organizations are well known for collecting and using credit information to influence rates, and to check credit they need to collect some rather sensitive data such as Social Security numbers," said Erich Kron of cybersecurity company KnowBe4. "In addition, insurers are asking customers to install telemetry devices in their vehicles, or through their phone apps, to track their location, speed, time of driving, braking and acceleration data, and a laundry list of other bits of data that most people would probably prefer remains private."
Legal Action and Consumer Protection Efforts
James alleges that National General violated New York’s consumer protection and business laws by:
- Failing to secure sensitive personal information.
- Misrepresenting its cybersecurity practices to customers.
- Neglecting to notify affected consumers after the first breach.
“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data—not once, but twice,” James said. “It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft. My office will hold those who fail to do so accountable.”
The lawsuit seeks financial penalties against National General and an injunction to prevent further data security violations.
Growing concerns over cybersecurity
This case is part of Attorney General James’ broader effort to hold auto insurance companies accountable for failing to protect consumer data.
- December 2024: Noblr Insurance was ordered to pay $500,000 for exposing the personal data of more than 80,000 New Yorkers.
- November 2024: GEICO and Travelers Insurance paid $11.3 million after their data security failures compromised 120,000 New Yorkers’ personal information.
With increasing cyber threats, the Attorney General’s Office urges companies handling sensitive personal data to strengthen their cybersecurity measures to protect consumers from fraud and identity theft.
Sign up below for The Daily Consumer, our newsletter on the latest consumer news, including recalls, scams, lawsuits and more.