The breaches, which targeted online quoting tools at eight auto insurers, allowed hackers to steal driver’s license numbers and dates of birth, according to settlements announced Tuesday, Oct. 14.

Some of the stolen data was later used to file fraudulent unemployment claims during the height of the COVID-19 pandemic.

An investigation by the Office of the Attorney General and the New York State Department of Financial Services found that the companies failed to implement reasonable security measures to protect consumer data.

The breaches were tied to the “pre-fill” function in online quoting tools, which automatically pulled sensitive information from data brokers when limited personal details were entered.

Investigators said the insurers failed to use basic safeguards like multifactor authentication and attack monitoring.

Under the settlements, the insurers must pay a total of $14.2 million in penalties and make major improvements to their cybersecurity practices. Affected New Yorkers have been offered free credit report monitoring for one year.

The companies involved are:

American Family Mutual Insurance Company/Midvale Indemnity Company ($2.8M)

Farmers Insurance ($1.3M)

Hagerty Insurance Agency ($1.3M)

Infinity Insurance Company ($2M)

The Hartford Insurance Group ($815K)

Liberty Mutual Insurance ($2M)

Metromile ($2M)

State Auto Mutual Insurance Company ($2M)

James emphasized that New Yorkers shopping for cheaper car insurance “should not have to worry that their private information could be stolen.”

The settlement is the latest in a string of enforcement actions by James’ office, which has collected more than $20 million from 10 insurance companies for similar security failures.

