Noblr, a USAA Insurance subsidiary offering insurance through an online quoting application, will pay $500,000 following a data breach that New York officials say affected 80,000 people and led to fraudulent unemployment benefit claims.
New York Attorney General Letitia James described the Noblr data breach as part of an industry-wide campaign by scammers to steal consumers’ personal information, including driver’s license numbers and dates of birth. The scammers exploited online automobile insurance quoting applications with a feature that automatically fills in additional private information from third parties after some basic details have been entered.
According to the attorney general’s investigators, Noblr’s quoting tool exposed full, plain text driver’s license numbers on the backend of its website and in PDFs generated when a purchase was made. The state says Noblr did not block users from entering the personal information of New York residents, even though Noblr does not offer insurance products in New York.
Investigators said Noblr discovered scammers exploiting the prefill vulnerability in January 2021. By the time Noblr was able to block their access, threat actors were able to obtain approximately 97,635 driver’s license numbers, of which approximately 80,758 were New York numbers, according to the investigators.
Noblr has not admitted any wrongdoing.
The attorney general said many of the stolen New York driver’s licenses were used to file claims with the New York State Department of Labor (DOL). Although DOL identified many of these fraudulent claims prior to issuing any payments, thousands of fraudulent claimants received at least some amount of unemployment benefits issued in the name of the victims of these attacks, according to the attorney general.
The attorney general’s investigation found that Noblr failed to adopt reasonable safeguards to protect private information. In addition to paying $500,000 in penalties, Noblr is required to enhance its data security.
Last month, two other auto insurers paid fines totaling $11.3 million for data breaches of their online insurance quoting systems that New York officials say compromised personal information of an estimated 120,000 customers in total. New York officials announced settlements with the Government Employees Insurance Co. (GEICO) for $9.75 million and The Travelers Indemnity Co. for $1.55 million for having “poor data security.”
Was this article valuable?
Here are more articles you may enjoy.
Kentucky Supreme Court Overturns Escape Clause Meaning, Affirms Roof Collapse 
New Texas Law Eliminates Annual Vehicle Safety Inspections 
Senate Says Climate Is Causing Insurance ‘Crisis’; Industry Strikes Back 
Colorado Secures Record Insurance Coverage for Stars Playing in Bowl Game 
