What Happened in the Root Insurance Data Breach Case?
New York Attorney General Letitia James announced on March 20, 2025, that her office has secured $975,000 from Root Insurance following a data breach that exposed the driver’s license numbers and personal information of roughly 45,000 New Yorkers. Though Root does not sell insurance in New York, its vulnerable online quote system left New York residents’ data unprotected and open to exploitation by cybercriminals.
This latest enforcement brings the total collected from auto insurance companies for data security failures to $6.57 million.
How Was New Yorkers’ Information Compromised?
The breach occurred through a “pre-fill” vulnerability in Root’s auto quote application:
- When users input limited personal data, Root’s system automatically populated sensitive information, including driver’s license numbers, into a downloadable PDF—in plain text.
- In January 2021, Root discovered malicious actors exploiting this flaw to access personal data.
- Some of the stolen information was used to file fraudulent unemployment claims during the COVID-19 pandemic.
The New York Attorney General’s investigation concluded that Root had failed to conduct adequate risk assessments and lacked basic cybersecurity protections, making it easier for hackers to target their system.
What Security Failures Did Root Commit?
According to the Office of the Attorney General (OAG), Root Insurance failed in several key areas:
- Did not identify the plaintext exposure of personal information in public-facing systems.
- Neglected to implement safeguards against automated cyberattacks.
- Lacked adequate authentication procedures and monitoring systems to detect suspicious activity.
What Does the Settlement Require?
In addition to the $975,000 penalty, Root must now:
- Implement a comprehensive information security program.
- Maintain a detailed inventory of private information and apply reasonable protections.
- Enforce multi-layered authentication protocols.
- Deploy a robust monitoring system with clear alerts for suspicious behavior.
Attorney General James Cracks Down on Cybersecurity Negligence
Attorney General James has made data privacy enforcement a top priority, especially as cyberattacks targeting sensitive consumer data increase. Notable actions include:
| Company | Amount Secured | Issue |
|---|---|---|
| GEICO & Travelers | $5.1 million | Inadequate data security |
| Noblr | $500,000 | Privacy failures |
| Capital Region Health Provider | $2.25 million | Exposed medical records |
| Biotech Company | $4.5 million (multistate) | Mishandling of patient data |
| Allstate (pending) | N/A | Ongoing litigation (165,000+ affected) |
Why It Matters: A Warning to the Auto Insurance Industry
This case signals a broader warning to the auto insurance industry and all companies managing sensitive data: cybersecurity negligence carries financial and reputational consequences. Even if a company doesn’t operate in a given state, exposing residents’ data can trigger enforcement action.
“Auto insurance companies need to make sure that the systems they use to store people’s data are protected,” said AG James. “Today’s settlement should send a message.”
Key Takeaways for Consumers and Businesses
- Consumers: Be cautious when sharing personal data online, even for something as routine as an insurance quote.
- Businesses: Ensure data encryption, risk assessments, and system monitoring are in place to defend against modern cyber threats.
📌 Tip: Companies should consult New York’s Data Security Guide for Businesses to ensure compliance and avoid penalties.
Stay Informed on Cybersecurity Enforcement
Follow updates from:
This case reflects New York’s growing commitment to holding corporations accountable and protecting residents’ digital privacy in an era of escalating cyber threats.
FingerLakes1.com is the region’s leading all-digital news publication. The company was founded in 1998 and has been keeping residents informed for more than two decades. Have a lead? Send it to [email protected].