What can we learn from the US data breaches?

In the US, the state of New York’s Attorney General has fined two large insurance companies, GEICO and Travelers Indemnity Company, following data breaches which ultimately revealed gaps in their respective cyber security systems.  

Whilst this happened in the US, which is subject to a different data protection regime from what we have in the UK, it is important to understand all types of cyber attack and the security measures which are needed to avoid or mitigate that risk when operating anywhere in the world. 

rradar’s legal experts from their Cyber, Data and Information Law team have followed the news story. 

A Stark Reminder of Vulnerabilities   

The breaches dated back to 2020/2021 and a combined penalty of US$11.3million has been imposed (US$9.75million against GEICO and US$1.55million against Travelers). 

In the case of the GEICO breach, its quoting tool has been exploited by cyber criminals using credential stuffing, meaning that they had used stolen usernames and passwords from other breaches to enter combinations into the tool until they gained access.  

Once they were inside GEICO’s system, they were able to take driving licence numbers for around 116,000 individuals. Whilst this may seem like innocuous information in itself, it is still personal data and can be used for identity theft.  

The Attorney General considered that GEICO’s quoting tool did not contain appropriate measures to guard against credential stuffing. In particular, defences such as bot detection and enhanced verification could likely have prevented the cyber criminals from gaining access.   

Although the cyber criminals committed a crime in unlawfully accessing its system and taking personal data, GEICO’s failure to properly protect the data it was processing resulted in a US$9.75million fine. 

The Travelers breach was not quite as large, affecting around 4,000 individuals. In that case, the cyber criminals used stolen employee credentials to gain access to Travelers’ computer system.  

As Travelers did not have Multifactor Authentication in place, there was no second line of defence against the cyber criminal who was able to simply log in with just a username and password.  

Even though there has been no known use of the data that the cyber criminals were able to access, the Attorney General considered that Travelers was remiss not to use Multifactor Authentication and that lack of appropriate security resulted in a US$1.55million fine. 

In the UK, data breaches can invite financial penalties by the UK regulator, the Information Commissioner’s Office (ICO). The ICO has the power to impose fines up to £17.5million or 4% of global turnover under UK GDPR. 

A Cautionary Tale 

The US$11.3million fine is evidence that the US is also holding organisations accountable for inadequate data protection measures; the hope being that businesses worldwide understand from this that good cyber security is key and having proper technical measures will help in the global fight against cyber crime.  

For UK businesses, the case underscores the necessity of robust cybersecurity frameworks which could avoid or reduce a similar fine being levied in this country.  

The ICO has not shied away from imposing significant penalties for similar large-scale breaches affecting customer data, such as the fines issued to British Airways (£20 million in 2020 following the 2018 cyber attack) and Marriott Hotels (£18.4 million, also issued in 2020 relating to a breach first discovered in 2018). 

Lessons for UK Companies   

1. Compliance: 

Any businesses processing any personal data must prioritise GDPR compliance, which will ensure the best protection in the event of a cyber attack. 

2. Cybersecurity Investment: 

With cyber threats on the rise, investment in advanced encryption and threat detection systems is no longer optional. Regular reviews and updates of security measures should be undertaken. 

3. Incident Response Planning: 

Having a comprehensive response plan will enable any business to mitigate the fallout of breaches, including reducing or avoiding any potential fines and preserving customer trust. 

4. Customer Transparency: 

Clear communication with affected parties is critical in maintaining trust and mitigating reputational damage. 

Cross-Border Considerations   

With many insurers operating internationally, the case also emphasises the interconnected nature of global data protection laws. UK-based firms working with US customers—or vice versa—must navigate compliance with both GDPR and evolving US privacy regulations. Harmonising these standards could become a competitive advantage. 

Conclusion   

For UK businesses, the GEICO and Travelers attacks highlight the need to fortify data protection measures and stay ahead of evolving threats. In a world where data breaches can transcend borders, compliance and cybersecurity are no longer optional—they are essential for survival and success in a digital-first economy.  

With businesses so heavily dependent on technology, it pays to know your cyber and data risks. By learning from cases like this, UK businesses can avoid similar pitfalls and foster greater trust in their services.