Insurance companies Geico and Travelers have been awarded more than $11 million by New York authorities for a data breach that led to the disclosure of more than 120,000 driver’s licenses of state residents. Hackers used this data to submit fraudulent claims for unemployment benefits during the COVID-19 pandemic.
In 2020, Geico and Travelers suffered data leaks due to lax security. The hackers used an auto-fill feature on insurance applications that pulled data from a third-party database to retrieve a customer’s driver’s license.
Geico discovered the problem only a month after the attacks began, but even after receiving warnings from regulators, it continued to leave vulnerable APIs open. A total of 135,414 IDs were stolen, most of which were used to fraudulently claim unemployment benefits. Travelers have also fallen victim to hackers due to weak passwords and lack of multi-factor authentication. This allowed the attackers to gain access to almost 89,000 credentials.
Regulators fined Geico $9.75 million and Travelers $1.55 million. Even large companies like Geico and Travelers are vulnerable to attacks due to ignoring basic security standards. New York authorities are actively fighting these problems, but fraud cases related to the pandemic will have consequences for a long time.