Full Report
A pair of data breaches in late 2020 and early 2021 exposed driver’s license numbers of almost 200,000 people. The post New York sues Allstate and subsidiaries for back-to-back data breaches appeared first on CyberScoop.
Analysis Summary
# Incident Report: Back-to-Back Data Breaches at National General (Allstate Subsidiary)
## Executive Summary
National General, an insurance subsidiary acquired by Allstate, suffered two distinct data breaches in late 2020 and early 2021, exposing the driver's license numbers of nearly 200,000 New York residents. The breaches were facilitated by poor security practices, specifically leaving an online insurance quoting tool configured to populate PII in plain text. The New York Attorney General has filed a lawsuit against Allstate and its subsidiaries alleging failure to secure data and failure to properly notify affected individuals in one of the incidents.
## Incident Details
- Discovery Date: Late 2020 (First incident); Sometime after acquisition/early 2021 (Second incident)
- Incident Date: Late 2020 and Early 2021 (Back-to-back)
- Affected Organization: National General (Subsidiary of Allstate)
- Sector: Insurance/Financial Services
- Geography: New York (Focus of the lawsuit)
## Timeline of Events
### Initial Access
- **Date/Time:** Late 2020 (First Incident)
- **Vector:** Exploitation of vulnerabilities in the auto insurance quoting tool for independent agents.
- **Details:** Attackers likely exploited the design flaw where the system populated full driver's license numbers in **plain text** during the quoting process.
### Lateral Movement
- *Not explicitly detailed in the summary, but likely focused on accessing the data stored by or accessible through the quoting tool.*
### Data Exfiltration/Impact
- **First Incident (Late 2020):** Exposed driver’s license numbers of almost 12,000 people. This breach went undetected for over two months.
- **Second Incident (Early 2021):** Affected the auto insurance quoting tool used by independent agents, exposing driver’s license numbers of 187,000 people. This occurred around the time Allstate finalized the acquisition of National General.
### Detection & Response
- **Detection:** The first incident was detected after more than two months. The second incident’s detection time is not specified.
- **Response (Alleged Failures):** National General is accused of violating the law by failing to inform almost 12,000 people of the first breach.
- **Response (Stated Action by Allstate):** Allstate claims they "resolved this issue years ago, promptly securing our systems" and notified regulators and offered credit monitoring to potentially affected customers.
## Attack Methodology
- **Initial Access:** Exploiting misconfigurations/vulnerabilities in the online quote tools.
- **Persistence:** N/A (Likely focused on data access during tool usage rather than long-term foothold.)
- **Privilege Escalation:** N/A (The vulnerability appears to be related to data exposure rather than escalating privileges.)
- **Defense Evasion:** The first attack went **undetected for more than two months**.
- **Credential Access:** Not explicitly detailed, but the exposure of driver's license numbers is the primary objective.
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** Gathering driver's license numbers directly from the vulnerable quoting process.
- **Exfiltration:** Not specified, implied data theft occurred.
- **Impact:** Exposure of PII, specifically driver's license numbers.
## Impact Assessment
- **Financial:** The context mentions a lawsuit filed by the NY AG, suggesting potential financial penalties (similar fines levied against Geico and Travelers were $9.75M and $1.55M, respectively, for comparable incidents). Allstate acquired National General for $4 billion in 2021.
- **Data Breach:** Driver's License numbers exposed for approximately 200,000 people in total across the two incidents.
- **Operational:** Disruption related to system remediation and regulatory scrutiny.
- **Reputational:** Significant negative press leading to a lawsuit from the NY Attorney General against the parent company, Allstate.
## Indicators of Compromise
*Defanged addresses are placeholders as no direct IOCs were provided in the text:*
- **Network indicators:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Sustained, un-detected querying of the online quoting tool leading to bulk retrieval of driver's license numbers.
## Response Actions
- **Containment:** Allstate claims they "resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools."
- **Eradication:** Remediation of the vulnerability in the quoting tool.
- **Recovery:** Notified regulators and offered free credit monitoring to potentially affected customers (related to the second incident, as the first notification failed).
## Lessons Learned
- **Architectural Flaws as Major Risks:** Accidentally leaving sensitive data fields (full driver's license numbers) exposed in **plain text** within external-facing application tools creates an extremely easy target for threat actors.
- **Inconsistent Incident Handling:** The company failed to properly notify nearly 12,000 victims of the first breach, leading to legal consequences.
- **Due Diligence Post-Acquisition:** The second breach occurred while the acquisition was closing, highlighting potential gaps in pre-acquisition security posture understanding or post-acquisition integration of security standards.
## Recommendations
- Conduct immediate and comprehensive third-party penetration testing and code reviews on all customer/agent-facing tools, specifically targeting PII handling and transmission methods (e.g., confirming no data is exposed in logs or plain text transmission).
- Implement robust compliance auditing to ensure all regulatory notification requirements are met immediately following any confirmed data exposure.
- Standardize security configurations across all newly acquired subsidiaries immediately upon acquisition closure, prioritizing remediation of critical vulnerabilities like plain-text PII exposure.