New York Attorney General Letitia James has filed a lawsuit against National General and Allstate Insurance Company following multiple data breaches that exposed the driver’s license numbers of more than 165,000 New York residents. The breaches highlight ongoing challenges in securing digital identity documents even as states move toward mobile driver’s licenses and enhanced authentication systems.
The legal action addresses two separate breach incidents. The first occurred in 2020, when attackers exploited National General’s online auto insurance quoting websites, which displayed consumers’ full driver’s license numbers in plain text. The breach affected nearly 12,000 individuals, including more than 9,100 New Yorkers. According to the lawsuit, National General failed to detect the breach for two months due to insufficient monitoring systems and inadequate protections against automated attacks – a growing concern as credential stuffing attacks have increased dramatically in recent years.
A second, more extensive breach in February 2021 compromised the personal information of an additional 187,000 consumers, including approximately 155,000 New Yorkers’ driver’s license numbers. The lawsuit alleges that these security vulnerabilities persisted even after The Allstate Corporation acquired National General and assumed control of its data security operations. The incident underscores the importance of robust identity verification systems, which many financial institutions are now implementing through proactive fraud prevention platforms.
The legal filing, submitted on March 10, 2025, contends that National General failed to establish reasonable data security safeguards and did not properly notify affected consumers or relevant state agencies upon discovering the first breach. Additionally, the company allegedly continued to expose driver’s license numbers on a separate quoting website for independent insurance agents that also had insufficient security measures. The failures occurred at a time when many organizations are strengthening their authentication protocols, with some sectors adopting two-factor authentication as an industry standard.
“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” said Attorney General James. “It is crucial for companies to take cybersecurity seriously to protect consumers from fraud and identity theft.”
The lawsuit seeks penalties, an injunction to halt any ongoing violations, and additional equitable relief under General Business Law (GBL) §§ 899-aa and 899-bb, which authorize the Attorney General to take action when businesses fail to disclose security breaches to New York state residents.
Sources: Investing.com, Street Insider, JD Supra, NJ Courts, New York Attorney General
Follow Us