New York has filed a lawsuit against Allstate and its subsidiary, National General, over two significant data breaches that occurred in 2020 and 2021. The breaches exposed the driver’s license numbers of more than 165,000 New Yorkers and nearly 200,000 individuals nationwide. According to the complaint filed by Attorney General Letitia James in Manhattan state court, National General failed to implement adequate cybersecurity measures, which allowed hackers to exploit vulnerabilities in its online auto insurance quoting platform. The first breach, occurring between August and November 2020, went undetected for months and affected over 9,100 New Yorkers. A second, larger breach in January 2021 compromised the data of an additional 155,000 New Yorkers.

The lawsuit alleges that National General violated New York’s Hacks Improve Electronic Security Act by neglecting to protect sensitive customer information and failing to notify affected individuals or state authorities promptly. Furthermore, the company is accused of misrepresenting its data security practices to consumers. Attorney General James emphasized that National General’s weak cybersecurity safeguards emboldened hackers to strike twice within a short span. The breaches were reportedly exacerbated by the company’s failure to address vulnerabilities after the first attack, leaving sensitive information exposed on public-facing websites used by consumers and independent insurance agents.

The legal action seeks civil penalties of $5,000 per violation and other remedies to prevent further infractions. The breaches were particularly concerning because National General’s systems displayed driver’s license numbers in plain text—a critical flaw that facilitated unauthorized access. Even after Allstate acquired National General and assumed control of its data security operations, the company allegedly failed to rectify these issues. Hackers exploited these weaknesses to steal private information, raising concerns about identity theft and fraud risks for affected individuals. The lawsuit also aims to hold Allstate accountable for its role in overseeing National General’s cybersecurity practices.

Attorney General James has called for an injunction to halt ongoing violations and ensure compliance with state consumer protection laws. She criticized National General for prioritizing convenience over security by not encrypting sensitive data or implementing stronger safeguards. The breaches have sparked broader discussions about corporate responsibility in protecting consumer information amid rising cyber threats. This case highlights the importance of robust cybersecurity measures in preventing data breaches and protecting consumers from identity theft.