New York Attorney General Letitia James has filed a lawsuit against National General and its parent company, Allstate Insurance, over allegations of inadequate data security that led to two cyberattacks compromising the personal information of more than 165,000 New Yorkers.

According to the lawsuit, National General experienced two separate data breaches in 2020 and 2021, during which attackers gained access to driver’s license numbers through the company’s online auto insurance quoting system. The Office of the Attorney General (OAG) claims that National General failed to take adequate security measures before and after the breaches, allowing the second incident to occur. The company is also accused of failing to notify affected consumers and state agencies about the first breach, which allegedly left personal information exposed for months.

The lawsuit seeks penalties for the company’s failure to implement reasonable data protection measures and notify consumers, as well as an injunction to prevent future violations.

The first breach, which occurred in 2020, exploited vulnerabilities in National General’s online quoting system, where full driver’s license numbers were reportedly displayed in plain text with minimal input. Attackers were able to extract the information from two public-facing websites, affecting nearly 12,000 individuals, including more than 9,100 in New York. The breach went undetected for two months due to inadequate monitoring, the lawsuit states.

Following this incident, National General did not alert consumers or regulators, according to the Attorney General's office. Additionally, another online quoting system used by independent insurance agents remained vulnerable, leading to a second, larger breach in February 2021. That breach compromised the personal data of an additional 187,000 consumers, including 155,000 in New York.

The lawsuit claims that National General’s data security issues persisted even after it was acquired by The Allstate Corporation, which took control of its data security operations.

Under New York law, companies that collect or store private consumer data are required to implement security measures to prevent unauthorized access. The Attorney General’s office alleges that National General’s failure to do so constitutes a violation of state consumer protection and business laws.

This lawsuit is part of a broader effort by Attorney General James to hold insurance companies accountable for cybersecurity lapses. In recent months, settlements have been reached with other insurers, including Noblr, GEICO, and Travelers Insurance, following similar data breaches.

The case will now proceed in court, with the Attorney General’s office seeking financial penalties and stronger security measures from National General and Allstate. Neither company has publicly responded to the lawsuit as of this report.