The New York Department of Financial Services (DFS) fined **Farmers Insurance Exchange** **$2.8 million** for inadequate cybersecurity controls that exposed consumer data—including **driver’s license numbers and birth dates**—through vulnerable online quoting platforms. The breach stemmed from systemic failures in safeguarding sensitive personal information, compounded by the company’s **delay in reporting the incident**, which further undermined consumer protections. DFS mandated remedial measures, including a **comprehensive review of data storage and access protocols**, to prevent future exposures. The enforcement action highlights regulatory scrutiny under New York’s cybersecurity framework (enacted in 2017, updated in 2023), which serves as a benchmark for financial sector oversight. While Farmers Insurance acknowledged the penalties, the case remains part of an **ongoing DFS investigation** into broader industry vulnerabilities. The incident underscores the risks of **unsecured digital platforms** in handling high-value consumer data, particularly in sectors like auto insurance where personally identifiable information (PII) is routinely processed.
Source: https://beinsure.com/news/ny-fines-auto-insurers-19mn-cyber-data-breaches/
TPRM report: https://www.rankiteo.com/company/farmers-insurance
"id": "far5903059102225",
"linkid": "farmers-insurance",
"type": "Breach",
"date": "6/2017",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Automotive Insurance',
'location': 'USA (New York)',
'name': 'Farmers Insurance Exchange',
'type': 'Insurance Company'},
{'industry': 'Automotive Insurance',
'location': 'USA (New York)',
'name': 'Hagerty Insurance Agency LLC',
'type': 'Insurance Agency'},
{'industry': 'Automotive Insurance',
'location': 'USA (New York)',
'name': 'Hartford Fire Insurance Co.',
'type': 'Insurance Company'},
{'industry': 'Automotive Insurance',
'location': 'USA (New York)',
'name': 'Infinity Insurance Co.',
'type': 'Insurance Company'},
{'industry': 'Automotive Insurance',
'location': 'USA (New York)',
'name': 'Liberty Mutual Insurance Co.',
'type': 'Insurance Company'},
{'industry': 'Automotive Insurance',
'location': 'USA (New York)',
'name': 'Metromile Insurance Co.',
'type': 'Insurance Company'},
{'industry': 'Automotive Insurance',
'location': 'USA (New York)',
'name': 'Midvale Indemnity Co.',
'type': 'Insurance Company'},
{'industry': 'Automotive Insurance',
'location': 'USA (New York)',
'name': 'Safe Automobile Mutual Insurance Co.',
'type': 'Insurance Company'}],
'attack_vector': ['Insecure Online Quoting Platforms', 'Poor Access Controls'],
'data_breach': {'personally_identifiable_information': ['Driver’s License '
'Numbers',
'Birth Dates'],
'sensitivity_of_data': 'High (Driver’s License Numbers, Birth '
'Dates)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'description': 'The New York Department of Financial Services (DFS) fined '
'eight auto insurers and agencies over $19 million for '
'inadequate cybersecurity controls that exposed consumer data, '
'including driver’s license numbers and birth dates, through '
'online quoting platforms. Farmers Insurance Exchange and '
'Infinity Insurance Co. were additionally penalized for '
'failing to report incidents in a timely manner. The '
'settlements mandate remedial measures, including a full '
'review of consumer data storage and access protocols.',
'impact': {'brand_reputation_impact': ['Potential Trust Erosion Due to Data '
'Exposure'],
'data_compromised': ['Driver’s License Numbers',
'Birth Dates',
'Personal Details'],
'financial_loss': '$19,300,000 (Total Fines)',
'identity_theft_risk': ['High (Due to Exposure of PII)'],
'legal_liabilities': ['Regulatory Fines', 'Ongoing Investigations'],
'operational_impact': ['Regulatory Scrutiny',
'Mandatory Remedial Measures'],
'systems_affected': ['Online Quoting Platforms']},
'investigation_status': 'Ongoing (DFS investigation into related breaches '
'continues)',
'lessons_learned': ['Timely incident reporting is critical to compliance and '
'consumer protection.',
'Robust access controls and data protection measures are '
'essential for online platforms handling PII.',
'Regulatory frameworks like NY DFS’s cybersecurity rules '
'set enforceable standards for financial institutions.'],
'post_incident_analysis': {'corrective_actions': ['Mandatory review of '
'consumer data storage and '
'access protocols.',
'Enhanced compliance with '
'NY DFS cybersecurity '
'regulations.',
'Investment in '
'cybersecurity programs '
'(e.g., Liberty Mutual’s '
'ongoing efforts).'],
'root_causes': ['Inadequate cybersecurity controls '
'on online quoting platforms.',
'Failure to report incidents '
'promptly (Farmers Insurance '
'Exchange, Infinity Insurance '
'Co.).',
'Lack of basic preparedness (e.g., '
'response plans, vulnerability '
'scans).']},
'recommendations': ['Implement comprehensive vulnerability scanning and '
'access reviews for online platforms.',
'Ensure timely incident reporting to regulators to avoid '
'compounded penalties.',
'Invest in cybersecurity programs to align with evolving '
'regulatory requirements (e.g., NY DFS 2023 updates).',
'Adopt basic cyber preparedness measures, such as '
'incident response plans, to mitigate risks.'],
'references': [{'source': 'New York Department of Financial Services (DFS)'},
{'source': 'Aon’s Global Cyber Risk Report'}],
'regulatory_compliance': {'fines_imposed': '$19,300,000 (Total)',
'legal_actions': ['Settlements with Mandatory '
'Remedial Measures'],
'regulations_violated': ['New York DFS '
'Cybersecurity Regulation '
'(2017, Updated 2023)'],
'regulatory_notifications': ['Delayed Reporting by '
'Farmers Insurance '
'Exchange and Infinity '
'Insurance Co.']},
'response': {'communication_strategy': ['Public Statements (e.g., Liberty '
'Mutual’s Acknowledgment)'],
'containment_measures': ['Review of Consumer Data Storage and '
'Access'],
'remediation_measures': ['Full Review of Data Handling '
'Practices']},
'title': 'New York DFS Fines Eight Auto Insurers $19M for Inadequate '
'Cybersecurity Controls Exposing Consumer Data',
'type': ['Data Breach', 'Regulatory Non-Compliance'],
'vulnerability_exploited': ['Inadequate Data Protection Measures',
'Lack of Timely Incident Reporting']}