New York Attorney General Letitia James today filed a lawsuit against several insurance companies doing business as National General and Allstate Insurance Company (Allstate) for failing to protect New Yorkers’ personal information from cyberattacks. In 2020 and 2021, National General suffered a pair of back-to-back data breaches that exposed the driver’s license numbers of more than 165,000 New Yorkers. The Office of the Attorney General (OAG) alleges that following the first breach, National General failed to notify impacted consumers and neglected to determine whether sensitive information was exposed elsewhere in its system, which allowed for a second, larger breach to occur months later. Attorney General James alleges the two breaches were a result of National General’s failure to implement reasonable data security measures, both before and after Allstate assumed control of its data security operations. Attorney General James is seeking penalties for National General’s failure to institute reasonable data security safeguards and notify consumers, and an injunction to stop any continued violations.
“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” said Attorney General James. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen. It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft, and my office will always hold those who fail to do so accountable.”
In 2020, attackers began targeting National General’s online quoting websites, which provide consumers with instant auto insurance quotes. These websites were designed to automatically display consumers’ full driver’s license numbers in plain text with minimal input, a flaw that bad actors were able to take advantage of to access consumers’ private information. The first breach, which affected two public-facing websites, exposed the driver’s license numbers of nearly 12,000 individuals, including more than 9,100 New Yorkers. Due to inadequate monitoring and the websites’ lack of protections against automated attacks, National General failed to detect the breach for two months.
Upon discovering the breach, National General failed to alert the consumers whose data was exposed or notify the appropriate state agencies. The company also continued to leave driver’s license numbers exposed on a separate quoting website for independent insurance agents, which was also weakly protected. Attackers then targeted this system in a second, far larger breach, which National General detected in February 2021. This attack compromised the personal information of an additional 187,000 consumers, including the driver’s license numbers of roughly 155,000 New Yorkers. National General’s data security failures continued after The Allstate Corporation acquired National General and Allstate took control of National General’s data security function.
Driver’s license numbers are valuable to cyber-criminals and can be used to commit various forms of fraud, including identity theft and government benefits fraud. Under New York law, companies that own or license New Yorkers’ private data must take appropriate steps to secure it. Attorney General James alleges that National General violated state consumer protection and business laws by failing to secure sensitive information, misrepresenting its data security practices to customers and consumers, and failing to notify affected consumers of the initial breach.
This is Attorney General James’ latest effort to hold auto insurance companies accountable for failing to secure consumers’ data. In December 2024, Attorney General James secured $500,000 from auto insurance company Noblr for failing to protect the personal information of more than 80,000 New Yorkers as part of a data breach. In November 2024, Attorney General James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris secured $11.3 million from GEICO and Travelers Insurance for having poor data security, which led to the personal information of more than 120,000 New Yorkers being compromised.
The matter is being handled by Assistant Attorneys General Laura Mumm and Alexandra Hiatt, with assistance from Assistant Attorneys General Gena Feist and Marc Montgomery, Senior Enforcement Counsel Jordan Adler, Data Security Analyst Nishaant Goswamy, and former Assistant Attorneys General Hanna Baek and Ezra Sternstein, under the supervision of Bureau Chief Kim Berger and Deputy Bureau Chief Clark Russell, of the Bureau of Internet and Technology. Data analysis was provided by Data Analyst Casey Marescot and Data Scientist Blythe Davis, under the supervision of Deputy Director Gautam Sisodia, Director Victoria Khan, former Deputy Director Megan Thorsfeldt, and former Director Jonathan Werberg of the Research and Analytics Department. The Bureau of Internet and Technology is a part of the Division of Economic Justice, which is overseen by Chief Deputy Attorney General Chris D’Angelo and First Deputy Attorney General Jennifer Levy.