New York, NY – Root to Pay New York: New York Attorney General Letitia James has secured $975,000 in penalties from auto insurance company Root after a data breach exposed the personal information of approximately 45,000 New Yorkers.
Root Data Breach and Impact on New Yorkers
Although Root does not offer insurance in New York, scammers accessed New Yorkers’ driver’s license numbers and personal information through the company’s systems.
The data breach occurred as part of an industry-wide campaign to steal sensitive information from online auto insurance quoting applications. Thieves then used the stolen data to file fraudulent unemployment claims during the peak of the COVID-19 pandemic. Root to Pay New York
Root Settlement Adds to Growing Penalties
The Root settlement raises the total amount recovered by New York from auto insurers over data breaches to $6.57 million. Recently, New York secured:
- $5.1 million from GEICO and Travelers
- $500,000 from Noblr
Additionally, last month, the attorney general sued Allstate Insurance for exposing the personal information of more than 165,000 New Yorkers.
Attorney General Warns Companies About Poor Data Security
“When companies have poor data security practices, they put individuals at risk of identity theft and fraud,” said Attorney General James while announcing the settlement. She stressed that auto insurers must strengthen their systems to protect driver’s license numbers, Social Security numbers, and other private information from cybercriminals.
Root’s Vulnerability and Security Failures
Root allowed consumers to obtain price quotes through its website. After users entered limited personal information, the system pre-filled sensitive data, including driver’s license numbers. At the end of the auto quote process, the system generated a PDF that displayed driver’s license numbers in plain text.
Root’s Failure to Identify Risks
In January 2021, Root identified that bad actors had exploited the system’s pre-fill vulnerability. However, the attorney general’s investigation revealed that Root:
- Failed to conduct proper risk assessments of its public-facing web applications
- Did not identify the plain text exposure of consumer information
- Used inadequate controls to prevent automated attacks
Settlement Terms and Enhanced Security Requirements
As part of the settlement, Root will pay $975,000 in penalties and strengthen its data security practices to comply with New York’s data security guidelines.
Root agreed to the settlement but did not admit or deny the attorney general’s findings.
Read More:
Texas Insurance Fraud Investigations Recover $58M in 2024
California Body Shop Owner Charged with Insurance Fraud
Four Pharmacists Sentenced for Roles in $13M Fraud Conspiracy
NY VA Firefighter Pleads Guilty to Workers’ Compensation Fraud Scheme
🚨 Stay Updated! Visit JacobiJournal.com for more news on cybersecurity and fraud prevention.