New York fines insurtech over data disclosures

New York Attorney General Letitia James said last week the state had fined Root Insurance Co. $975,000 after criminals obtained through the insurer’s website thousands of driver’s license records that were used to file bogus Social Security claims during the COVID-19 pandemic.

Root is one of several auto insurers fined by New York over information obtained via alleged weaknesses in their policy application process.

According to the “assurance of discontinuance” document filed by the attorney general, criminals exploited Root’s auto insurance application’s “prefill” capability. The site asks applicants for basic information, such as names and addresses, then other information pulled from third-party data providers, including driver’s numbers, is automatically entered.

In late January 2021, “threat actors” used the feature to submit sham auto insurance applications and obtain the license numbers of more than 44,000 New York residents. They then used the numbers to file for unemployment benefits with the state’s Department of Labor, according to the filing.

“Although DOL identified many of these fraudulent claims prior to issuing any payments, some fraudulent claimants received at least some amount of unemployment benefits issued in the name of the victims of these attacks,” the filing states.

On Jan. 27, 2021, Columbus, Ohio-based Root noticed an unexplained increase in traffic on its site and implemented a CAPTCHA requirement and monitoring.

In addition to the fine, Root agreed to implement other security measures.

In a statement, Root said, “in light of this event, (we) have made improvements to avoid fraudulent activity. Any person impacted by the breach was immediately offered credit monitoring services at the time of the incident as precaution.”

Late last year, New York fined Berkshire Hathaway Inc. unit GEICO Corp., Travelers Insurance Cos. Inc. and Noblr Inc. for similar breaches.