Attorney General James sues National General and Allstate over data breaches exposing 165,000 New Yorkers

New York Attorney General Letitia James has filed a lawsuit against National General and Allstate Insurance, alleging that their inadequate cybersecurity measures allowed hackers to steal the personal information of more than 165,000 New Yorkers in

“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” James said. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen.”

The first breach, detected in 2020, exploited vulnerabilities in National General’s online insurance quoting websites. These platforms automatically displayed full driver’s license numbers with minimal input, making them an easy target for cybercriminals. As a result, nearly 12,000 individuals, including 9,100 New Yorkers, had their data exposed. Due to poor monitoring, National General did not detect the breach for two months.

Despite discovering the breach, National General failed to notify affected consumers or take adequate steps to secure its systems. This led to a second, more extensive attack in early 2021, when hackers exploited a separate website used by independent insurance agents. This breach compromised an additional 187,000 consumers, including approximately 155,000 New Yorkers. By this time, Allstate had acquired National General and was responsible for overseeing its data security operations.

Under New York law, companies that collect and store personal data must implement reasonable security measures to protect it. The lawsuit contends that National General and Allstate failed to do so, exposing consumers to potential identity theft and fraud. The Attorney General is seeking penalties and an injunction to prevent further violations.

This lawsuit is part of Attorney General James’ ongoing efforts to hold insurance companies accountable for cybersecurity failures. In recent months, her office has secured multimillion-dollar settlements from GEICO, Travelers Insurance, and Noblr for similar data breaches affecting thousands of New Yorkers.