Allstate Corp. is being sued by the New York attorney general, who claims its subsidiary, National General Holdings Corp., failed to protect consumer data during multiple cyberattacks, according to BestWire.
In 2020 and 2021, National General experienced breaches that exposed the driver’s license numbers of over 165,000 New Yorkers.
According to the attorney general, the company did not notify affected consumers or assess whether sensitive information had been disclosed.
The lawsuit alleges that these incidents resulted from inadequate data security measures, both before and after Allstate assumed control of National General’s cybersecurity operations.
Attorney General Letitia James stated that National General’s weak cybersecurity practices encouraged hackers to target and steal personal data on two separate occasions.
She criticized the company for mishandling consumer information and failing to inform affected individuals of the breaches.
In 2021, hackers targeted National General’s online quoting website, which displayed full driver’s license numbers in plain text.
The initial breach compromised data from two websites, impacting 12,000 individuals. After detecting the breach, National General did not alert those affected. Instead, the company left license numbers exposed on a separate, poorly secured website for independent agents (see Global Cyber Insurance Industry: Emerging Trend & Growth Opportunities in 2025).
In February 2021, hackers exploited this vulnerability in a second, larger attack that compromised data from an additional 187,000 individuals.
The lawsuit claims that these cybersecurity failures persisted even after Allstate acquired National General. Allstate finalized the $4 bn acquisition in January 2021.
An Allstate spokesperson stated that the company had addressed these issues years ago, securing its systems after discovering vulnerabilities in online quoting tools.
The company reported the incidents to regulators and informed affected consumers, offering free credit monitoring as a precaution.
This lawsuit follows other actions taken by New York against insurers for cybersecurity lapses. In November 2024, the Department of Financial Services fined Geico and Travelers Cos., subsidiaries of Berkshire Hathaway, a combined $11.3 mn for data breaches.
