March 24, 2025 | JacobiJournal.com – Root to Pay New York: New York Attorney General Letitia James has secured $975,000 in penalties from auto insurance company Root after a data breach exposed the personal information of approximately 45,000 New Yorkers.
Root Data Breach and Impact on New Yorkers
Although Root does not offer insurance in New York, scammers accessed New Yorkers’ driver’s license numbers and personal information through the company’s systems.
The data breach occurred as part of an industry-wide campaign to steal sensitive information from online auto insurance quoting applications. Thieves then used the stolen data to file fraudulent unemployment claims during the peak of the COVID-19 pandemic. Root to Pay New York
Root Settlement Adds to Growing Penalties
The Root settlement raises the total amount recovered by New York from auto insurers over data breaches to $6.57 million. Recently, New York secured:
- $5.1 million from GEICO and Travelers
- $500,000 from Noblr
Additionally, last month, the attorney general sued Allstate Insurance for exposing the personal information of more than 165,000 New Yorkers.
Attorney General Warns Companies About Poor Data Security
“When companies have poor data security practices, they put individuals at risk of identity theft and fraud,” said Attorney General James while announcing the settlement. She stressed that auto insurers must strengthen their systems to protect driver’s license numbers, Social Security numbers, and other private information from cybercriminals.
Root’s Vulnerability and Security Failures
Root allowed consumers to obtain price quotes through its website. After users entered limited personal information, the system pre-filled sensitive data, including driver’s license numbers. At the end of the auto quote process, the system generated a PDF that displayed driver’s license numbers in plain text.
Root’s Failure to Identify Risks
In January 2021, Root identified that bad actors had exploited the system’s pre-fill vulnerability. However, the attorney general’s investigation revealed that Root:
- Failed to conduct proper risk assessments of its public-facing web applications
- Did not identify the plain text exposure of consumer information
- Used inadequate controls to prevent automated attacks
Settlement Terms and Enhanced Security Requirements
As part of the settlement, Root will pay $975,000 in penalties and strengthen its data security practices to comply with New York’s data security guidelines.
Root agreed to the settlement but did not admit or deny the attorney general’s findings.
To strengthen your authority, you can link directly to the New York Attorney General’s official press release on settlements and consumer protection: New York Attorney General – Data Security Cases.
FAQs: Data Breach Settlement with Root Insurance
What led to the Root Insurance data breach in New York?
The data breach exposed driver’s license numbers after Root’s quoting system left sensitive data in plain text.
How much is Root Insurance paying for the data breach settlement?
Root agreed to pay $975,000 in penalties to New York as part of the settlement.
What did the investigation reveal about Root’s data breach?
The attorney general found Root failed to conduct risk assessments and allowed automated attacks on its online quoting system.
How does the Root Insurance data breach compare to other cases in New York?
The settlement adds to $6.57M already recovered from auto insurers, including GEICO, Travelers, and Noblr, for similar breaches.
Stay informed on major data breach cases, fraud prosecutions, and enforcement actions. Subscribe to JacobiJournal.com today for trusted legal and financial crime reporting.