Allstate Insurance Sued For Delivering Personal Info In Plaintext

An anonymous reader quotes a report from The Register: New York State has sued Allstate Insurance for operating websites so badly designed they would deliver personal information in plain-text to anyone that went looking for it. The data was lifted from Allstate's National General business unit, which ran a website for consumers who wanted to get a quote for a policy. That task required users to input a name and address, and once that info was entered, the site searched a LexisNexis Risk Solutions database for data on anyone who lived at the address provided. The results of that search would then appear on a screen that included the driver's license number (DLN) for the given name and address, plus "names of any other drivers identified as potentially living at that consumer's address, and the entire DLNs of those other drivers."

Naturally, miscreants used the system to mine for people's personal information for fraud. "National General intentionally built these tools to automatically populate consumers' entire DLNs in plain text -- in other words, fully exposed on the face of the quoting websites -- during the quoting process," the court documents [PDF] state. "Not surprisingly, attackers identified this vulnerability and targeted these quoting tools as an easy way to access the DLNs of many New Yorkers," according to the lawsuit. The digital thieves then used this information to "submit fraudulent claims for pandemic and unemployment benefits," we're told. ... [B]y the time the insurer resolved the mess, crooks had built bots that harvested at least 12,000 individuals' driver's license numbers from the quote-generating site.

I'm sincerely asking this...

[BringsApples]

...When the state, or any governing body, sues a company like Allstate, where does that money go?

Re:

[ZiggyZiggyZig]

Elon's pockets?

Business as usual - Equifax 147 million people

[will4]

For reference, there's not been a major company or credit reporting agency go out of business due to losing people's information.

Some state regulator, based on a systemic loss of personal data by a company, wholesale prevent that company from doing any business in that state for its products and its parent/sub companies products.

it's business as usual and often the general liability insurance of the company will pay the fine.

For Equifax, it was $2.89 per person affected in fines plus whatever it cost for 'f

Re:I'm sincerely asking this...

[phantomfive]

It depends on the details. If the financial wrongdoing was brought to light by a whistleblower, up to 30% of the money goes to the whistleblower [sec.gov].

If you know your company is breaking the law, it pays to report it. Be sure to save documentation (which you should be doing anyway).

Re:

[Retired Chemist]

It depends on the state. Sometimes it goes to the victims, sometimes it goes to a fund to help crime victims, sometimes it goes to revenue (which potential reduces taxes), but mostly it goes nowhere because all that happens is that the company agrees to fix the problem without admitting guilt and the whole thing goes away.

The bigger issue here

[jrnvk]

⦠is why a private company is able to have access to this data in the first place.

Re:

[BitterOak]

⦠is why a private company is able to have access to this data in the first place.

They are an insurance company. They need that information to properly insure drivers and comply with state laws.

Voter Fraud

[CubicleZombie]

Easy way to commit voter fraud. Past residents are likely still listed because they didn't change their voter registration. Since checking voter IDs is somehow racist, this leak gives someone everything they need to vote early and vote often.

Re:

[drinkypoo]

Since checking voter IDs is somehow racist

You don't have access to a search engine? Explain to us how you're qualified to be on Slashdot when you can't navigate the internet.

Re:

[karmawarrior]

Yeah, plus the ID requirements are kinda more difficult to meet if you're from certain minorities that, for example, didn't have access to normal mainstream healthcare at the time many were born (say, if you were black and in most of the South before the 1970s. No, it didn't all get fixed overnight when the Civil Rights Act was passed.) Where do you get your birth certificate in that instance? You have to hope your parents had the foresight to make sure you had everything and kept copies for you when you ne

Re:

[smooth wombat]

Make the state ID free to obtain

Why would you want to help those people get a free ID?

For those states which do offer free IDs, the process is usually along the lines:

You have to show up at a particular office, which is the only one in your region of the state, between the hours of 8:17 AM and 9:11 AM, with some other form of identification on the one day a month they offer the free ID service.

However, prior to that, you have to download a form from a website which doesn't identify wher

At least 12,000 individuals?

[laughingskeptic]

If criminals built a bot scraper, then it is likely that they went after everyone in the U.S. -- why wouldn't they? The LexisNexis Risk Solutions database has an entry for practically every adult in the U.S. -- 260 million persons and the bot ran for over 2 months undetected. It seems the press is trusting the insurance company's scoping of the incident and this seems like a big mistake.

LexisNexis

[RegistrationIsDumb83]

A scummy company since they make it impossible to delete your information. We need privacy regulations.

Are we sure this is Allstate's fault?

[Sloppy]

It looks like Allstate does have a real problem with their website allowing anyone to use them as a proxy lookup. Nevertheless:

That task required users to input a name and address, and once that info was entered, the site searched a LexisNexis Risk Solutions database for data on anyone who lived at the address provided.

That sentence suggests that LexisNexis has all the information in question, and they sell it to others. Allstate doesn't appear to be The Problem here, at least as far as I can tell from the

That's nothing.

[msauve]

For some states, it's relatively easy to figure out DL numbers [highprogrammer.com] knowing only basic info.

You need a DL to exist?

[RockDoctor]

Or at least, as far as the corporate state knows, if you don't have a driver's license, you don't exist.

Well, that will make life simpler for a lot of people.

What was that old ad?

[jenningsthecat]

Oh yeah, I remember. It was "You're in Groping Hands with Allstate". Sounds about right.

my letter

[groobly]

I got a letter in the mail from my insurance company. It was in plaintext. How dare they! From now on I want letters to use ROT13.

I guess my personal info

[Parlett316]

Wasn't in good hands

We need a better way to solve stupid

[FeelGood314]

There were multiple companies involved in this. They all screwed up. Short of assigning blame and bankrupting the companies nothing else will stop these companies from screwing up again, and that isn't a viable solution. Most companies fundamentally don't understand security. Part of it is willful neglect, part of it is the consequences are so minimal, but the biggest part is the people making the decisions don't understand security even well enough to delegate it. They can't evaluate if their money sp