The New York Attorney General recently entered into an assurance of discontinuance with Root Insurance Company following a 2021 data incident. According to the AG, the threat actors obtained people’s drivers’ license numbers by exploiting a website error on its car insurance application portal. Namely, upon entering a publicly available name and address, the site would generate a prefilled PDF that included that person’s drivers’ license number, which numbers were pulled from third-party databases. Threat actors used an automated bot to exploit this vulnerability, and gathered drivers’ license numbers of 44,449 New Yorkers (more than half of the total 72,852 people impacted). The threat actors then used many of these people’s information to file fake unemployment claims with New York, which according to the AG, was the goal of the attack.Continue Reading Auto Insurer Settles With New York AG Over Insurance Application Platform Security Issues
