In November, Geico and Travelers were fined a combined $11 million for data breaches that exposed the personal information of more than 120,000 individuals and contributed to COVID-19 fraud.
The New York Office of the Attorney General (OAG) and the Department of Financial Services (DFS) determined there were significant lapses in both companies’ cybersecurity measures that hackers were able to exploit. DFS further found that both companies violated its 2017 cybersecurity regulations, some of the strictest in the U.S., which have specific rules governing data protection.
Here are the full details of these two cases.
Geico
New York Attorney General Letitia James and DFS alleged that starting in November 2020, hackers accessed Geico’s online quoting system and were able to steal customers’ driver’s license numbers and dates of birth. Ultimately, these attacks resulted in the exposure of confidential data for more than 116,000 people.
The two agencies also found that Geico failed to respond appropriately to many different DFS alerts about an industry-wide cyberattack campaign targeting digital insurance quoting tools and failed to implement effective data security controls. Geico also neglected to conduct a comprehensive review of its systems to safeguard them from future cyberattacks.
These failures violated state data protection regulations and exposed customers to the real risk of identity theft and fraud. Geico agreed to pay a $9.75 million fine, and as part of the settlement, the insurer agreed to enhance its cybersecurity measures to better protect consumers’ confidential data.
Travelers
In April 2021, cybercriminals used stolen credentials to hack into Travelers quoting tool, which enabled them to generate reports with driver’s license numbers in plain text. Travelers' system was not protected by multifactor authentication (MFA), which helped the attack go undetected for seven months and resulted in the loss of data from more than 4,000 people.
As part of its settlement, Travelers paid a fine of $1.55 million and agreed to implement many new improvements to its cybersecurity defenses, including better authentication and access logs.
Lessons for Insurers
These cases highlight the growing regulatory scrutiny on data protection practices in the insurance sector and put a price tag on the financial and reputational risks associated with ineffective cybersecurity practices.
Anne Cutler, Cybersecurity Evangelist at Keeper Security, said, “These cases reflect a broader set of challenges many companies are facing: How to stay ahead of sophisticated cyber threats while balancing operational and financial priorities. Regulatory penalties like these emphasize the importance of proactive measures – not only to comply with laws but to safeguard trust and meet the ethical obligations of managing sensitive data.”
The Geico and Travelers’ fines also offer key lessons for the insurance industry and emphasize the need to prioritize cybersecurity at every level of the organization. This includes implementing basic safeguards – such as MFA – to reduce vulnerabilities and prevent unauthorized access.
“Cybersecurity investments are increasing every year, but the fact that data breaches are also increasing suggests that the products and solutions being deployed are not effective,” said Venky Raju, Field CTO at ColorTokens. “Businesses need to adopt a zero trust architecture and implement technologies such as ZTNA, microsegmentation, and passwordless authentication. These software-defined technologies are relatively inexpensive, easy to deploy, and bring immediate risk reduction.”
Companies should also establish systems that allow them to quickly respond to industry alerts and threat intelligence. Regular reviews and audits of breach detection protocols can help to further identify weaknesses and improve compliance with data security regulations. By adopting these measures, insurers – as well as organizations in any industry – are better able to protect customer data and minimize the reputational and financial damage associated with breaches.
Viewing Cybersecurity as an Opportunity to Differentiate
The Geico and Travelers breaches also demonstrate additional implications of cybersecurity issues, both for consumers and insurance carriers. For consumers, these incidents create doubts about insurers’ ability to protect confidential data, which leaves them vulnerable to identity theft and fraud. For insurers, the reputational damage caused by such breaches can make it difficult to acquire and retain customers.
All of this shows that cybersecurity should not be viewed as just a compliance requirement but instead as an opportunity that can deliver a powerful competitive advantage. Insurers that maintain and demonstrate comprehensive, effective data protection controls can position themselves as trustworthy partners, giving them a valuable edge in an industry where consumer trust is critical.
