Privacy Daily is a service of Warren Communications News.
Subscriber Login
Profit Over Safety

N.Y. Sues Allstate's National General for Data Breaches

March 10, 2025 by Kara Thompson|Top News

New York Attorney General Letitia James (D) on Monday announced a lawsuit against Allstate and its subsidiary National General for not protecting personal information from cyberattacks, and violating the state’s breach notification law. While James noted that the insurance companies' internal cyber defenses were inadequate, she said the broader cause was their choice of prioritizing profit over safety.

“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” said James. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen."

The data breaches at National General happened in 2020 and 2021, and driver's license numbers of almost 200,000 consumers were exposed, the complaint said. Bad actors targeted online tools for car insurance quotes that were available to independent agents and consumers. After obtaining the numbers, the criminals used them to commit fraud such as identity theft, James said.

The lawsuit said National General built tools that intentionally populate consumers’ entire driver's license numbers "in plain text -- in other words, fully exposed on the face of the quoting websites -- during the quoting process." Not only did the tools "automatically populate" the site with the consumer's license number, it did so for anyone living at the same address, it added.

James argued the scale of the breaches was remarkable because National General made it easy for bad actors to access the numbers. Moreover, the insurance company failed to implement guardrails that would monitor for and block the attacks.

“After it discovered the first breach, National General, in violation of state data breach notification laws, did not alert impacted New Yorkers or relevant New York state agencies,” the complaint alleged. This lack of notification prevented New Yorkers from being able to take precautions to protect themselves from the potentially serious repercussions stemming from the attacks, and New York state agencies from quickly investigating the issue.

Even after the first breach, which affected 12,000 consumers, National General left consumers’ entire driver's license numbers "fully exposed on the online auto insurance quoting tool," making them "available to its network of independent agents," the complaint said. As a result, attackers were able to target the tools in a second, larger breach that compromised 187,000 consumer license numbers, it said.

In addition, the complaint alleges that the usernames and passwords used by independent agents to access the tools were not strong enough to keep out bad actors.

“While the specific source of the breaches was National General’s design and release of several insecure websites, the broader cause of the incidents was National General’s prioritization of profit over the implementation of reasonable data security safeguards,” said James in the suit. The AG added that "even after Allstate took control of National General’s data security function … National General’s data security still fell below the standard required by New York state law.”

Allstate "resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed driver’s license numbers," the insurance company said in an emailed statement. "We promptly notified regulators, contacted potentially affected consumers and offered free credit monitoring as a precaution."