Root Auto Insurance Fined $975,000 for Data Breach

An auto insurance company, Root, has been fined $975,000 by the New York Attorney General for failing to protect the personal information of 45,000 residents in New York. This penalty is part of an ongoing investigation into a series of data breaches affecting the insurance industry, where hackers exploited vulnerabilities in auto insurance quoting applications to steal sensitive information such as driver’s license numbers and dates of birth.

The breaches allowed fraudsters to misuse stolen driver’s license information for filing fraudulent unemployment claims during the COVID-19 pandemic. Although Root does not operate in New York, its security lapses exposed sensitive data of New Yorkers.

Investigations pointed out that Root's online quote tool inadequately protected personal data, exposing it in plaintext through a generated PDF. Following these discoveries, Root has been mandated to enhance its data security measures in addition to the monetary penalty.