Full Report
New York sues Allstate over data breach, alleging security failures that exposed the driver’s license numbers of nearly 200,000 individuals
Analysis Summary
# Incident Report: Multiple Data Breaches Undisclosed by Allstate's National General Unit
## Executive Summary
Attacks targeting Allstate's National General unit between 2020 and 2021 exploited vulnerabilities in online auto insurance quoting tools, leading to the exposure of over 165,000 New Yorkers' driver's license numbers. The primary failure cited by the New York Attorney General was the company's alleged failure to implement sufficient safeguards and promptly report the two distinct incidents as required by the SHIELD Act. The state is now seeking significant financial penalties and mandatory remediation.
## Incident Details
- Discovery Date: Second breach discovered in early 2021 (first breach (Aug-Nov 2020) was undisclosed until then).
- Incident Date: Two incidents occurred: August–November 2020 and Early 2021.
- Affected Organization: Allstate (National General unit).
- Sector: Insurance (Auto Insurance).
- Geography: New York (Primary focus of the lawsuit).
## Timeline of Events
### Initial Access
- Date/Time: August 2020 (First incident).
- Vector: Exploitation of vulnerabilities in National General’s online auto insurance quoting tools.
- Details: Hackers accessed systems via weaknesses in the public-facing quoting applications.
### Lateral Movement
- *Details on internal lateral movement are not explicitly provided in the source material, only the point of compromise (quoting tools).*
### Data Exfiltration/Impact
- Date/Time: Ongoing between initial access and discovery/patching.
- Details: Driver’s license numbers were accessed. Over 165,000 New Yorkers and nearly 200,000 individuals total were impacted across the two breaches.
### Detection & Response
- Detection: First breach (Aug-Nov 2020) went undisclosed; second breach discovered in early 2021.
- Response Actions (Alleged Failure): National General failed to promptly alert affected individuals or state agencies regarding the initial breach, violating the SHIELD Act. Allstate later stated they notified regulators and offered credit monitoring upon discovery of the scope.
## Attack Methodology
- Initial Access: Exploitation of web application vulnerabilities (specifically in online auto insurance quoting tools).
- Persistence: *(Not specified)*
- Privilege Escalation: *(Not specified)*
- Defense Evasion: *(The focus of the lawsuit is the failure in controls, implying existing defenses were inadequate.)*
- Credential Access: *(Not specified, but unauthorized access to PII occurred.)*
- Discovery: *(Not specified)*
- Lateral Movement: *(Not specified)*
- Collection: Gathering of personally identifiable information (PII), specifically driver's license numbers.
- Exfiltration: Implied extraction of collected PII.
- Impact: Exposure of sensitive PII leading to potential identity fraud and regulatory violations.
## Impact Assessment
- Financial: The NY Attorney General is seeking unspecified financial penalties, citing up to $5000 per violation under the SHIELD Act. Allstate acquired National General for approximately $4bn in January 2021.
- Data Breach: Driver's license numbers for nearly 200,000 individuals (over 165,000 in New York).
- Operational: Disruption related to investigation, remediation of quoting tools, and subsequent regulatory and legal proceedings.
- Reputational: Significant negative publicity highlighted by a lawsuit from the NY Attorney General criticizing "lax security practices."
## Indicators of Compromise
- *No specific IOCs (IPs, domains, hashes) were provided in the article.*
- Behavioral indicators: Repeated unauthorized access to online quoting systems; failure to report security incidents within regulatory mandated timeframes.
## Response Actions
- Containment: Allstate stated it "swiftly addressed vulnerabilities upon discovery."
- Eradication: *(Implied steps taken to patch the quoting tool vulnerabilities.)*
- Recovery: Provided affected consumers with credit monitoring services.
## Lessons Learned
- The primary lesson centers on the critical importance of proactive security measures, especially on internet-facing applications (quoting tools), to prevent initial access.
- Failure to promptly detect and report data breaches, even potentially minor initial incidents, can lead to severe regulatory penalties under laws like NY’s SHIELD Act.
- Post-breach notification timing is crucial; delayed notification risks compounding reputational damage and regulatory fines.
## Recommendations
- Implement rigorous, continuous vulnerability scanning and penetration testing specifically targeting external-facing services like online quoting portals.
- Establish and strictly adhere to internal protocols for breach detection, analysis, and mandatory reporting timelines as dictated by state and federal regulations (e.g., SHIELD Act compliance).
- Enhance security awareness, particularly around potential downstream effects of data exposure (e.g., how stolen driver's licenses can be used for sophisticated phishing scams against customers).