NEW YORK – New York Attorney General Letitia James has reached a settlement with Root, an auto insurance company, securing $975,000 in penalties. The penalties stem from Root’s failure to adequately protect the personal information of approximately 45,000 New Yorkers. The data breach exposed sensitive information, including driver’s license numbers and dates of birth.
The data breach was part of a wider campaign targeting the theft of personal information from online auto insurance quoting applications. The stolen driver’s license data was then used to file fraudulent unemployment claims, particularly during the height of the COVID-19 pandemic.
Root does not offer insurance in New York, but the company’s security failures still allowed scammers to access New Yorkers’ private information. Attorney General James has previously secured settlements from GEICO and Travelers, totaling $5.1 million, and $500,000 from Noblr, all for similar data protection failures. The settlement with Root brings the total amount secured from auto insurance companies to $6.57 million.
“When companies have poor data security practices, they put individuals at risk of identity theft and other fraud,” Attorney General James stated. “Auto insurance companies need to ensure their data storage systems are protected to prevent cybercriminals from stealing driver’s license numbers, Social Security numbers, and other private information. Today’s settlement sends a message to the auto insurance industry that my office will take action to shield New Yorkers’ private information.”
Root operates as an insurance provider that allows consumers to receive price quotes through its website. The online quoting tool, after inputting some initial personal information, “pre-filled” additional information such as driver’s license numbers. Root’s system exposed full, plaintext driver’s license numbers within a PDF generated at the conclusion of the auto quote process.
In January 2021, Root discovered that bad actors were exploiting this vulnerability. The Office of the Attorney General (OAG) investigation revealed that Root had failed to perform adequate risk assessments on its public-facing web applications. The company did not identify the plain text exposure of consumer personal information and lacked sufficient controls to prevent automated attacks. Approximately 45,000 New Yorkers were affected by the breach.
The OAG investigation concluded that the insurance company failed to employ reasonable safeguards to protect private information. In addition to paying the $975,000 penalty, Root is required to enhance its data security by:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
- Developing and maintaining a data inventory of private information and ensuring such information is protected by reasonable safeguards;
- Maintaining reasonable authentication procedures for access to private information;
- Maintaining a logging and monitoring system and implementing policies and procedures designed to alert of suspicious activity.
