Auto insurance companies Geico and Travelers were fined $11 million in New York over data breaches that impacted the personal information of over 120,000 individuals.

The insurance quoting tools of Government Employees Insurance Company (Geico) were targeted in several cyberattacks starting November 2020, leading to the compromise of a public-facing website’s backend and the theft of driver’s license numbers.

Geico was notified several times of an industry-wide hacking campaign aimed at information theft from online automobile insurance quoting applications and responded to separate incidents, but did not take the necessary measures to protect its systems.

Vulnerabilities in the company’s website and insurance agents’ quoting tool eventually led to attackers compromising the personal information of approximately 116,000 New York residents.

According to the New York Attorney General and the New York State Department of Financial Services (DFS), some of the stolen information was used to file unemployment claims during the COVID-19 pandemic.

The Travelers Indemnity Company (Travelers) fell victim to an attack on its insurance agent portal in April 2021, after receiving several alerts on the hacking campaign.

The attackers used stolen credentials to access Travelers’ insurance agent portal, which did not have multi-factor authentication (MFA) enabled, and generated reports that included driver’s license numbers in plain text.

Approximately 4,000 New York residents were impacted and Travelers did not discover the data breach until seven months later, when a third-party prefill data provider notified it.

Investigations conducted by the New York OAG and DFS concluded that the two companies did not implement security controls to protect customers’ information and did not comply with regulations requiring them to properly protect that information.

On Monday, the New York OAG and DFS announced a $9.75 million settlement (PDF) with Geico and a $1.55 million settlement (PDF) with Travelers.

The two auto insurance companies agreed to review and improve their cybersecurity practices through comprehensive information security programs, data inventories, reasonable authentication procedures, logging and monitoring systems, and improved threat response procedures.

Related: Collapse of National Security Elites’ Cyber Firm Leaves Bitter Wake

Related: Texas Department of Insurance Exposed Data of 1.8 Million People

Related: British Council Student Data Found in Unprotected Database

Related: Data on California Prisons’ Visitors, Staff, Inmates Exposed