Ethical Hacking News
Allstate Insurance has been hit with a lawsuit alleging that the company exposed personal data in plaintext, allowing hackers to harvest millions of driver's license numbers. New York State is seeking penalties and an injunction against Allstate for its failure to implement reasonable data security safeguards.
Allstate Insurance has been hit with a lawsuit alleging it exposed personal data in plaintext, allowing hackers to harvest millions of driver's license numbers.The breach was uncovered by New York State, which is seeking penalties and an injunction against Allstate for its failure to implement reasonable data security safeguards.The lawsuit states that National General, a business unit of Allstate, built websites with significant vulnerabilities that made it easy for hackers to exploit them.Thieves built bots to exploit this vulnerability, allowing them to harvest data on thousands of individuals.Estimated 12,000 driver's license numbers were compromised in the breach, and another 187,000 people were affected by a similar mistake with another quote-generating tool.New York State is seeking penalties and an injunction against Allstate for its failure to implement reasonable data security safeguards and notify consumers in a timely manner.
Allstate Insurance has been hit with a lawsuit alleging that the company exposed personal data in plaintext, allowing hackers to harvest millions of driver's license numbers. The breach was uncovered by New York State, which is seeking penalties and an injunction against Allstate for its failure to implement reasonable data security safeguards.
The lawsuit states that National General, a business unit of Allstate, built websites that allowed consumers to get quotes for insurance policies. However, these websites were designed with significant vulnerabilities that made it easy for hackers to exploit them. The sites required users to input their name and address, which was then searched in a LexisNexis Risk Solutions database to find matching information.
The results of this search would appear on the screen, including the driver's license number (DLN) for the given name and address, as well as the names and DLNs of any other drivers identified as potentially living at that address. This information was then displayed in plain text, allowing hackers to easily access it without needing any additional tools or expertise.
Crooks built bots to exploit this vulnerability, which allowed them to harvest data on thousands of individuals. The lawsuit claims that National General did not detect these attacks for over two months and failed to notify the affected consumers in violation of state laws. This breach resulted in an estimated 12,000 driver's license numbers being compromised.
Furthermore, Allstate made a similar mistake with another quote-generating tool it provided to its agents, which allowed criminals to swipe details on another 187,000 people. The insurance company failed to implement strong access controls and sent passwords in plain text via unencrypted email, allowing hackers to easily exploit these weaknesses.
The lawsuit further alleges that Allstate prioritized profit over data security, leading to the creation of insecure websites that were ripe for abuse. New York State is seeking penalties and an injunction against Allstate for its failure to implement reasonable data security safeguards and notify consumers in a timely manner.
The breach highlights the importance of robust data security measures, including strong access controls, multi-factor authentication, and encryption. It also emphasizes the need for companies to prioritize data protection over profit, as the consequences of failing to do so can be severe.
In related news, Allstate has admitted that it resolved this issue years ago and took steps to secure its systems after discovering vulnerabilities in its online quoting tools. However, the company failed to notify regulators, contact potentially affected consumers, or offer free credit monitoring as a precautionary measure.
Overall, the breach highlights the need for companies to prioritize data security and take proactive measures to protect consumer information. The lawsuit against Allstate serves as a warning to other companies that failing to do so can have serious consequences.
Related Information:
https://www.ethicalhackingnews.com/articles/Allstate-Insurances-Data-Breach-A-Web-of-Insecurity-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/03/10/allstate_sued_pii_exposure/
https://www.pcmag.com/news/allstates-driver-data-collection-sparks-class-action-lawsuit
https://www.classaction.org/news/class-action-alleges-allstate-unlawfully-collects-sells-consumers-driving-behavior-data-through-third-party-apps
Published: Mon Mar 10 18:24:18 2025 by llama3.2 3B Q4_K_M
