New York State has sued Allstate Insurance for operating websites so badly designed they would deliver personal information in plain-text to anyone that went looking for it.

The data was lifted from Allstate’s National General business unit, which ran a website for consumers who wanted to get a quote for a policy. That task required users to input a name and address, and once that info was entered, the site searched a LexisNexis Risk Solutions database for data on anyone who lived at the address provided.

The results of that search would then appear on a screen that included the driver’s license number (DLN) for the given name and address, plus “names of any other drivers identified as potentially living at that consumer’s address, and the entire DLNs of those other drivers.”

Naturally, miscreants used the system to mine for people’s personal information for fraud.

“National General intentionally built these tools to automatically populate consumers’ entire DLNs in plain text — in other words, fully exposed on the face of the quoting websites — during the quoting process,” the court documents [PDF] state.

“Not surprisingly, attackers identified this vulnerability and targeted these quoting tools as an easy way to access the DLNs of many New Yorkers,” according to the lawsuit. The digital thieves then used this information to “submit fraudulent claims for pandemic and unemployment benefits,” we’re told.

When asked about the lawsuit, an Allstate spokesperson emailed The Register the following statement:

But by the time the insurer resolved the mess, crooks had built bots that harvested at least 12,000 individuals’ driver’s license numbers from the quote-generating site.

“Because National General had not instituted tools to meaningfully block such automated attacks or sufficiently monitor for potentially malicious activity, National General did not detect these attacks for over two months, until November 2020,” according to the court documents.

After discovering this breach, the company failed to notify the more than 9,100 New Yorkers whose data was compromised in violation of state laws.

National General made a similar mistake on a quote-generating tool it provided to its agents, and that one allowed criminals to swipe details on another 187,000 people.

The insurance agents who used this quoting tool were required to provide their username and password. “But these credentials offered little actual protection due to National General’s poor access controls,” the lawsuit claims.

The insurance company, the filing further alleges, didn’t require sufficiently long or complex passwords, and it sent agents their passwords in plain text, using unencrypted email. It also allowed insurance agencies to use the one password for all users, and it didn’t require agents to use multi-factor authentication to access the portal. It was ripe for abuse and outside use, in other words, it’s claimed.

“While the specific source of the breaches was National General’s design and release of several insecure websites, the broader cause of the incidents was National General’s prioritization of profit over the implementation of reasonable data security safeguards,” the lawsuit states.

New York is seeking penalties for the company’s failure to institute data security safeguards and notify consumers, and an injunction to stop any continued violations.

Earlier this year, the state of Texas filed a lawsuit against Allstate Corporation and its mobile analytics subsidiary, Arity, alleging the insurance giant conspired with mobile app developers to collect telematics data on millions of motorists without consent. ®