Investing.com -- New York Attorney General Letitia James has filed a lawsuit against insurance companies National General and Allstate Insurance Company (NYSE: ALL ) following a series of data breaches. The breaches, which took place in 2020 and 2021, exposed the driver’s license numbers of over 165,000 New Yorkers. The lawsuit alleges that National General failed to adequately protect personal information from cyberattacks and failed to notify impacted consumers after the first data breach.

The Office of the Attorney General (OAG) claims that National General did not determine if sensitive information was exposed elsewhere in its system following the first breach. This alleged negligence allowed for a second, larger breach to occur months later. The lawsuit asserts that these breaches were due to National General’s failure to implement reasonable data security measures, both before and after Allstate assumed control of its data security operations.

The lawsuit seeks penalties for National General’s alleged failure to establish reasonable data security safeguards and notify consumers. It also seeks an injunction to stop any continued violations.

According to Attorney General James, "National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks." She added that it is crucial for companies to take cybersecurity seriously to protect consumers from fraud and identity theft.

In 2020, attackers targeted National General’s online quoting websites, which provided instant auto insurance quotes. These websites were designed to automatically display consumers’ full driver’s license numbers in plain text with minimal input, a flaw that attackers exploited to access consumers’ private information.

The first breach affected two public-facing websites, exposing the driver’s license numbers of nearly 12,000 individuals, including more than 9,100 New Yorkers. National General allegedly failed to detect the breach for two months due to inadequate monitoring and a lack of protections against automated attacks.

Upon discovering the breach, National General allegedly did not alert the affected consumers or notify the appropriate state agencies. The company also reportedly continued to leave driver’s license numbers exposed on a separate quoting website for independent insurance agents, which was also weakly protected.

A second, larger breach occurred in February 2021, which compromised the personal information of an additional 187,000 consumers, including the driver’s license numbers of approximately 155,000 New Yorkers. The lawsuit alleges that National General’s data security failures continued even after The Allstate Corporation acquired National General and Allstate took over National General’s data security function.

Attorney General James alleges that National General violated state consumer protection and business laws by failing to secure sensitive information, misrepresenting its data security practices to customers and consumers, and failing to notify affected consumers of the initial breach.

This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.