GEICO, a subsidiary of Berkshire Hathaway Inc., and Travelers Cos. Inc. have agreed to pay a combined $11.3 million in penalties following data breaches that exposed the personal information of over 120,000 New York residents.
AM Best reported that the penalties are part of settlements with the New York Department of Financial Services (DFS) and the state attorney general. In addition to monetary fines, both insurers committed to enhancing cybersecurity protocols, including improving threat response, implementing stronger authentication measures, and maintaining a secured inventory of sensitive data.
“These enforcement actions reinforce the department’s commitment to ensuring that all licensees, especially those entrusted with consumer financial information like GEICO and Travelers, uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyberthreats,” said DFS Superintendent Adrienne A. Harris.
GEICO's data breach occurred in November 2020 when hackers accessed its online quoting tools, extracting driver’s license numbers from the company’s publicly accessible website.
DFS stated that the vulnerabilities stemmed from inadequate backend security. Following updates to its quoting tools, cybercriminals exploited a separate insurance agent quoting platform, exposing data belonging to approximately 116,000 individuals.
As part of the settlement, GEICO will pay $9.75 million in penalties and conduct remedial actions, such as comprehensive cybersecurity risk assessments and penetration testing. The company noted it self-reported the incidents and has since bolstered its cybersecurity measures to prevent similar breaches.
Travelers faced scrutiny for a 2021 breach that compromised the data of roughly 4,000 New York residents.
Hackers used stolen credentials to infiltrate the company’s agent portal, which lacked multifactor authentication. DFS reported that it took Travelers seven months to detect the breach, which was discovered by a third-party data provider.
The company agreed to pay $1.55 million in penalties and to review its systems, enhance access controls, and strengthen protections against unauthorized access.
A Travelers spokesperson stated that internal systems were not impacted and emphasized ongoing collaboration with independent agents to improve security.
According to the spokesperson in an emailed statement to AM Best: "Protecting the information of all our stakeholders is a top priority, and we will continue to partner with our independent agents to prevent similar incidents in the future. It is important to note that Travelers’ internal systems were not impacted by this incident.”
The settlements come after EyeMed Insurance paid $4.5 million in 2022 for similar violations related to weak cybersecurity controls.
How do these settlements impact your perspective on data security in the insurance industry? Share your thoughts below.
