Attorney General James Secures $975,000 from Auto Insurance Company over Data Breach

Root Allowed Hackers to Steal New Yorkers’ Driver’s License Numbers and Fraudulently Obtain Unemployment Benefits  AG James Has Secured $6.57 Million from Four Auto Insurance Companies over Industry-wide Data Security Failures

New York Attorney General Letitia James today announced that Root, an auto insurance company, will pay $975,000 in penalties for failing to protect the personal information of approximately 45,000 New Yorkers. The breach was part of an industry-wide campaign in which criminals stole consumers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications. Some of the stolen data was later used to file fraudulent unemployment claims during the COVID-19 pandemic.

Although Root does not offer insurance in New York, its security failures exposed the personal information of New Yorkers to scammers. Attorney General James has previously secured settlements totaling $5.1 million from GEICO and Travelers, as well as $500,000 from Noblr, for similar data security failures. Today’s settlement brings the total amount secured from auto insurance companies for their data protection failures to $6.57 million.

“When companies have poor data security practices, they put individuals at risk of identity theft and other fraud,” said Attorney General James. “Auto insurance companies must ensure that the systems they use to store personal data are protected to prevent cybercriminals from stealing sensitive information like driver’s license numbers and Social Security numbers. This settlement should send a clear message to companies in the auto insurance industry that my office will take action to protect New Yorkers' private information.”

Root is an insurance company that allows consumers to obtain price quotes via its website. The online quoting tool would auto-fill personal information such as driver’s license numbers after consumers entered limited details. Root’s system exposed full, plaintext driver’s license numbers in a PDF generated at the end of the quoting process.

In January 2021, Root discovered that bad actors had exploited this prefill vulnerability. The Office of the Attorney General (OAG) investigation revealed that Root failed to conduct adequate risk assessments on its public-facing web applications. The company also did not identify the plaintext exposure of consumer personal information and lacked sufficient controls to prevent automated attacks. Approximately 45,000 New Yorkers were affected by the breach.

The OAG determined that Root had failed to adopt reasonable safeguards to protect private information. As part of the settlement, Root is required to pay $975,000 in penalties and enhance its data security practices, including:

Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information. Developing and maintaining a data inventory of private information and ensuring it is protected by reasonable safeguards. Maintaining reasonable authentication procedures for access to private information. Implementing a logging and monitoring system, along with policies and procedures to detect and alert on suspicious activity. Attorney General James’ Leadership in Data Security Enforcement

Attorney General James has been a leader in holding companies accountable for inadequate cybersecurity. In March 2025, she sued Allstate Insurance for failing to protect New Yorkers' information, resulting in the exposure of data belonging to over 165,000 New Yorkers. In December 2024, she secured a $500,000 settlement with Noblr for similar data security lapses. In November 2024, she and the Department of Financial Services Superintendent Adrienne Harris secured $11.3 million from GEICO and Travelers for poor data security practices.

In October 2024, Attorney General James secured a $2.25 million settlement from a Capital Region healthcare provider for failing to protect the private information and medical data of New Yorkers. Earlier in August 2024, she and a multistate coalition secured $4.5 million from a biotech company for failing to protect patient data.

In addition, Attorney General James launched two privacy guides in July 2024: a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web. In April 2023, she released a comprehensive data security guide to help businesses strengthen their data security practices.

This matter was led by Assistant Attorneys General Gena Feist and Laura Mumm, along with former Assistant Attorneys General Hanna Baek and Ezra Sternstein. Data Security Analyst Nishaant Goswamy and former Internet and Technology Analyst Joe Graham also contributed, under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger of the Bureau of Internet and Technology. Data analysis was provided by Data Analyst Casey Marescot and Data Scientist Blythe Davis, under the supervision of Deputy Director Gautam Sisodia, Director Victoria Khan, former Deputy Director Megan Thorsfeldt, and former Director Jonathan Werberg of the Research and Analytics Department. The Bureau of Internet and Technology is part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.