STATEWIDE — A VEHICLE INSURANCE COMPANY THAT FAILED TO PROTECT 80,000 NEW YORKERS’ PERSONAL INFORMATION – even though it doesn’t offer its products in New York – must pay $500,000 in penalties. State Attorney General Letitia James on Thursday, Dec. 19 announced that she had secured $500,000 from Noblr, an auto insurance company that allows consumers to obtain a price quote through an online tool.
As part of a data breach, Noblr’s quoting tool exposed full, plaintext driver’s license numbers in several ways, including on the backend of its website and in PDFs generated when a purchase was made. Noblr also failed to block users from entering the personal information of New York residents, a state where its products are unavailable.
Although Noblr discovered scammers exploiting the prefill vulnerability in January 2021, the company neglected to monitor its site traffic in real time, causing delays in detecting attacks and rendering it difficult to distinguish malicious activity from legitimate inquiries. The data breach was part of an industry-wide scam to steal personal information, which was then used to file fraudulent unemployment claims at the height of the COVID-19 pandemic. In addition to Noblr, Attorney General James also held GEICO and Travelers accountable for failing to protect New Yorkers’ personal information.
Noblr must now maintain a comprehensive information security program, develop and maintain a data inventory with reasonable safeguards, and maintain reasonable authentication procedures, as well as a logging and monitoring system that gives alerts on suspicious activity.
