New York Sues ‘Allstate’ Over 2020-2021 Data Breaches and Alleged Security Failures

• Allstate's National General unit was sued in the U.S. for breaching New York's SHIELD Act.
• The insurance company failed to properly secure sensitive user data, including passwords and government-issued IDs.
• Moreover, it reportedly mislead consumers about its cybersecurity practices.

A lawsuit against Allstate's National General unit was filed, alleging failures in safeguarding customer data and reporting breaches that exposed sensitive information in plain text to anyone, including driver's license numbers.

The New York Attorney General's lawsuit highlights two cybersecurity breaches targeting National General's auto insurance quoting tools, compromising the data of approximately 199,000 individuals, according to Reuters.

The first breach between August and November 2020 reportedly went unreported to impacted drivers and state agencies alike. A more severe breach was uncovered in January 2021 after a three-month delay, affecting over 165,000 New Yorkers.  

The legal action accuses the National General of breaching New York's “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act) by failing to adequately protect sensitive customer data. 

Regarding the breaches, the Attorney General underlined that hackers could steal New Yorkers' personal data twice due to National General's weak cybersecurity. The filing also alleges the insurance company didn't require multi-factor authentication or secure passwords, which were sent to agents by unencrypted email in plain text.

Additionally, the company is accused of violating state consumer protection laws for allegedly misleading consumers about its cybersecurity practices. New York's lawsuit seeks civil penalties of $5,000 per legal infraction and other remedies.

Allstate defended its handling of the breaches, asserting that vulnerabilities in its systems were promptly resolved and stating it had offered free credit monitoring to potentially affected consumers.