NY Attorney General sues Allstate over data breaches

New York Attorney General Letitia James has sued National General and its parent company, Allstate , for failing to protect consumers’ personal information.

The lawsuit follows two data breaches in 2020 and 2021 that exposed the driver’s license numbers of over 165,000 New Yorkers. The breaches stemmed from National General’s “weak cybersecurity” that allowed bad actors to access sensitive data. The Office of the Attorney General (OAG) alleges National General failed to notify affected consumers after the first breach and did not strengthen security, leading to a second, larger breach. Even after Allstate took control of National General’s data security, vulnerabilities persisted.

“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks. National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen. It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft, and my office will always hold those who fail to do so accountable.” – Attorney General James.

This action follows similar enforcement efforts, including a $500,000 settlement with Noblr in December 2024 and an $11.3 million penalty against GEICO and Travelers in November 2024 for similar data security failures.