Full Report
NEW YORK – New York Attorney General Letitia James today secured $14.2 million from eight car insurance companies for failing to protect the private information of more than 825,000 New Yorkers. The data breaches were part of a hacking campaign that targeted car insurance companies’ quoting tools and stole people’s personal information, including driver’s license... Source
Analysis Summary
# Incident Report: Car Insurance Quoting Tool Data Exposure Leading to ID Fraud
## Executive Summary
A hacking campaign targeted the online quoting tools of eight major car insurance companies, exploiting a "pre-fill" function to steal personal information, including driver's license numbers and dates of birth, belonging to over 825,000 New Yorkers. The subsequent investigation found the insurers lacked reasonable security controls, leading to significant financial penalties ($14.2 million) and subsequent misuse of stolen data for filing fraudulent unemployment claims during the COVID-19 pandemic.
## Incident Details
- Discovery Date: Not explicitly stated, but investigation concluded and settlements announced on October 14, 2025.
- Incident Date: Occurred prior to the October 2025 announcement, with data misuse relating to the COVID-19 pandemic period.
- Affected Organization: Eight car insurance companies (including American Family, Farmers, Liberty Mutual, etc.).
- Sector: Insurance (Auto/Car Insurance).
- Geography: New York.
## Timeline of Events
### Initial Access
- Date/Time: Undetermined, but occurred before the settlement announcement in October 2025.
- Vector: Exploitation of a "pre-fill" function within the companies’ online car insurance quoting tools.
- Details: Attackers entered limited personal information (name, DOB) into the online tool, causing the system to automatically populate sensitive fields (like driver's license numbers) with data likely purchased from data brokers.
### Lateral Movement
- Not explicitly detailed, but the scope suggests that once data was acquired, it was used externally, notably for filing fraudulent unemployment claims.
### Data Exfiltration/Impact
- Data stolen included driver’s license numbers and dates of birth for over 825,000 New Yorkers.
- Impact included the subsequent filing of fraudulent unemployment claims during the COVID-19 pandemic using the stolen driver's license information.
### Detection & Response
- Detection: OAG and DFS investigation uncovered the breaches and inadequate security controls.
- Response actions taken: Attorney General James secured $14.2 million in penalties from the eight companies through settlements, mandated security improvements, and offered affected New Yorkers one year of free credit report monitoring.
## Attack Methodology
- Initial Access: Exploitation of the "pre-fill" feature in customer-facing online quoting tools.
- Persistence: Not applicable/Not specified.
- Privilege Escalation: Not applicable/Not specified.
- Defense Evasion: Not specified, but the lack of reasonable security controls aided the attack.
- Credential Access: Information was obtained via automated exploitation of the web application functionality, likely supplementing data brokers' information.
- Discovery: Attackers likely initiated reconnaissance using publicly available or brokered data to target the pre-fill function.
- Lateral Movement: Data was exfiltrated for use in external fraud schemes (unemployment claims).
- Collection: Driver's license numbers and dates of birth were collected automatically by the exploited tool mechanism.
- Exfiltration: Implied movement of stolen personal identifying information (PII).
- Impact: Financial fraud (unemployment claims) and significant exposure of consumer PII.
## Impact Assessment
- Financial: $14.2 million secured in penalties from the eight companies. The cost of fraudulent unemployment claims is implicit.
- Data Breach: PII of over 825,000 New Yorkers compromised, specifically driver's license numbers and dates of birth.
- Operational: No direct mention of operational disruption to the insurance companies themselves, but required mandated security improvements.
- Reputational: Negative public perception related to poor cybersecurity leading to consumer harm and fraud.
## Indicators of Compromise
- Network indicators: Not specified (URLs/IPs were defanged in source).
- File indicators: Not specified.
- Behavioral indicators: Automated exploitation of web application "pre-fill" functionality; utilization of compromised PII to file external government benefit fraud claims.
## Response Actions
- Containment measures: Not specified, pending investigation conclusion.
- Eradication steps: Settlements required the companies to implement improved data security controls.
- Recovery actions: Affected New Yorkers were offered one year of free credit report monitoring.
## Lessons Learned
- Key takeaways: Reliance on automated web features (like "pre-fill") that aggregate sensitive data requires robust security validation to prevent automated enumeration and data leakage.
- What could have been done better: The companies failed to implement "reasonable data security controls" necessary to protect consumer information residing within their quoting systems.
## Recommendations
- Prevention measures for similar incidents: Review and secure all external-facing web application features that automatically populate sensitive fields based on limited input. Ensure comprehensive preventative and detective security tools are in place across all customer interaction points, especially those handling PII. Implement data minimization principles where possible.