Two Insurers Nailed on Data Breaches
Just in time for Thanksgiving, regulators in New York have served up a double helping of cybersecurity enforcement, against two large insurance firms that repeatedly failed to remediate known weaknesses in their IT systems that left customers’ personal data vulnerable to thieves.
The New York attorney general and the Department of Financial Services announced their enforcement actions on Monday against Geico and Travelers Indemnity Co. The two firms will pay $9.75 million and $1.55 million in penalties, respectively; and both also agreed to make numerous improvements to their cybersecurity programs.
Both businesses were attacked in 2021 by data thieves who had been targeting insurance firms, and specifically were trying to crack open the dedicated website that insurance firms often provide to independent agents who are seeking a price quote for their customers. Geico and Travelers both fell victim to the scam, although in different ways; and the thieves ultimately made off with highly sensitive personal data of roughly 120,000 New Yorkers. Some of the stolen information was subsequently used to file fraudulent unemployment claims during the covid-19 pandemic.
So what can CISOs and internal auditors learn here? In both cases, the firms knew they had a problem — indeed, they were expressly told by New York regulators that hackers were targeting insurance firms and the portals their agents used to get price quotes. And while Geico and Travelers fell victim to the hackers in different ways, the settlement orders against them show how hackers can move quickly, and therefore your remediation efforts need to happen just as fast.
Let’s start with Geico, the more serious of the two incidents.
The Geico Incidents
As described in the New York DFS settlement order, Geico discovered one security incident in January 2023. The company had a consumer-facing website where people could enter a few bits of personal data to get a price quote, and the Geico system would then return a page with more comprehensive data, including several digits of the customer’s driver license number.
To provide that answer, however, Geico’s system sent a special file back to the customer’s web browser that contained the user’s complete driver license number — so if you knew how to extract the data in that special file, you could read the whole number. Which is what hackers did, using the personal data of real people acquired on the dark web somehow. Geico discovered the weakness, reported it to regulators, and fixed the issue.
Geico uncovered another security incident in March 2021, when it noticed that hackers were exploiting a weakness in the portal it offered to independent insurance agents. Long story short, hackers first discovered that glitch in late 2020, and had been using it in piecemeal fashion for months. Then they developed a way to automate their attack — so the number of bogus data requests went from 75 over a period of several months, to more than 10,000 per day.
Making matters worse, state regulators had warned insurance firms weeks earlier about a “systematic and aggressive campaign” to target those online instant quote services; and Geico didn’t discover the attack until March 1, 2021, when the attackers themselves contacted Geico to demand a ransom.
Why didn’t Geico catch any of this sooner? Because, DFS regulators said, the company’s primary risk assessment came from a penetration test done by an external consultant in 2018 — and that pen test was limited in scope, overlooked lots of the non-public information in Geico’s possession, and didn’t evaluate the platform used by Geico’s independent agents (and which hackers successfully exploited). Geico wasn’t conducting annual pen testing and wasn’t performing adequate continuous monitoring, both required by the state’s Cybersecurity Rule; and hadn’t even implemented all of the recommendations from that 2018 pen test report, limited as it was.
The Travelers Incident
Travelers only suffered one incident. Like Geico and other insurace firms, it had been warned by regulators in early 2021 that hackers were targeting consumer- and agent-facing portals for attack. Travelers did take some protective measures after that warning, but was “beginning the process” of deploying multi-factor authentication on its agent portal.
Alas, that deployment took too long. In November 2021, Travelers noticed a spike in the number of access requests from a single insurance agency in California, and determined that someone had stolen the agents’ credentials to start stealing customers’ personal data. By the time Travelers cut off that attacker with the stolen credentials, he had already accessed 40,000 files.
After discovering a few more unauthorized access attempts, Travelers reconfigured its portal so that driver license numbers were masked and began a look-back investigation — and found suspicious activity on its agent portal going all the way back to April of that year. Ouch.
Ultimately, DFS faulted Travelers on two issues. First, the firm knew that its independent agents were sharing log-in credentials, even when the agents had signed contracts and policy documents promising not to share their credentials. Second, even though DFS issued a warning about the attacks in March 2021 that expressly told firms to implement multi-factor authentication, Travelers didn’t even start implementing MFA until September of that year, and was still working on implementation when the unauthorized access was discovered in November.
Compliance Points to Ponder
The big issue for both firms was quite simply an inability to respond to regulators’ demands. The New York Cybersecurity Rule, administered by DFS, has clear requirements for annual pen testing, continuous monitoring, and comprehensive risk assessments; Geico didn’t do those things. DFS also gave insurance firms a specific warning about the emergent cybersecurity threat of attackers targeting online instant-quote portals, with directives about precautions to take, such as implementing MFA; Travelers didn’t do those things.
So how can CISOs, IT auditors, and privacy officers elsewhere get a sense of your firm’s ability to respond to regulatory requirements? That’s the question you want to answer.
Vendors will say you need a risk management tool, one that can map your controls to regulatory requirements, identify gaps, and keep you on pace as you work to seal up those gaps. That’s certainly true; for example, you need alerting and escalation procedures for urgent priorities, such as Travelers taking too long to implement MFA. (Failing to implement MFA as necessary is a time-honored security failure, from UnitedHealth earlier this year to other DFS enforcement actions in years past.)
You also need some mechanism to assure that your risk assessments are robust and current, rather than the 2018 fossil that Geico was still using years later and that was too narrow in scope from the start.
For financial firms in New York, subject to the state’s Cybersecurity Rule, all of this should be standard fare. Then again, given the pervasive threat from hackers, it really should be standard fare for everyone else, too.