MAPFRE Insurance, which writes property and casualty insurance in 19 US states, was hit with a data breach in July impacting more than 300,000 of its customers and is now facing a federal lawsuit seeking class action status alleging negligence and violations of privacy regulations.
The company, based in Webster, Mass., has been somewhat tightlipped about the incident but in a letter sent to customers sent at the end of August, MAPFRE said the data breach occurred between July 1 and July 2, and involved “an unknown party” obtaining access to driver’s license numbers through its online quoting platform.
“The unknown party may also have obtained access to information regarding vehicles you own, including make, model, year, and vehicle identification number,” the letter stated.
MAPFRE said it took down the online quoting platform as soon as it became aware of the breach and implemented additional controls within the system to prevent a reoccurrence of the incident.
In a statement, the company said “an unknown party used information about certain individuals – which was already in the unknown party’s possession – to obtain access to additional information through mapfreinsurance.com. The company has not responded to questions about how the “unknown party” apparently already had customer login information.
Security testing conducted
In a subsequent statement, MAPFRE said it retained an independent third-party, which it declined to identify, to conduct security testing of the platform before bringing it back online.
“The Company’s Agent Portal was not involved,” the insurer said.
MAPFRE declined to provide a spokesperson to respond to questions about the incident.
MAPFRE, a Spanish-headquartered multinational insurer, purchased Massachusetts-based Commerce Insurance in 2007. It is certainly not alone in being victimized by cyber criminals and such incidences are becoming almost common. Recent reports say third-party data breaches rose 136% last year, particularly affecting insurers, healthcare organizations, utilities, retail chains and many others.
“Most large organizations connect and share data with dozens of partners and vendors,” said a report by cybersecurity company ForgeRock. “But a compromised login credential in any one of those companies can put all the others at risk.”
Cyberattack frequency no excuse, say attorneys
Attorneys for impacted consumers say, however, that the frequency of cyberattacks is no excuse for companies allowing them to happen.
“While the exact reason(s) for the data breach remain unclear, there is no doubt
that [MAPFRE] failed to adequately protect [customers’] private information
and incorporate the tools necessary to keep such private information safe,” reads a lawsuit filed early this month in US District Court of Massachusetts, by two customers of the insurer that is seeking class action status. “Such negligent failures resulted in injuries…”
The lawsuit seeks unspecified damages for MAPFRE’s alleged failure to exercise reasonable care in securing and safeguarding the sensitive consumer data.
“To the world of cyber criminals, MAPFRE’s private information, including data that was in possession at the time of the data breach, is extremely valuable,” reads the lawsuit, filed by attorneys at Watley Kallas LLP, in Boston, and Migliaccio & Rathod LLP, in Washington, DC. “By accessing plaintiffs’ private information, hackers can simply use a driver’s license to steal identities. Stolen driver’s licenses wreak havoc and identity theft issues for MAPFRE potential customers and customers.”
The suit alleges there was a long delay in notifying customers of the data breach, giving more time for hackers to copy sensitive information that included names, driver’s license numbers, make, model, year, and vehicle identification numbers.
The suit cites a national credit reporting blogger, about the value of driver’s license to thieves.
“If someone gets your driver’s license number, it is also concerning because it’s connected to your vehicle registration and insurance policies, as well as records on file with the department of motor vehicles, place of employment, doctor’s office, government agencies, and other entities,” said the blogger, Sue Poremba. “Having access to that one number can provide an identity thief with several pieces of information they want to know about you. Next to your Social Security number, your driver’s license is one of the most important pieces to keep safe from thieves.”
With a driver’s license number, bad actors can manufacture fake IDs, slotting in the number for any form that requires ID verification or use the information to craft curated social engineering phishing attacks,” said Tim Sadler, CEO of email security firm Tessian.
A 'lucrative' scam
“Using these numbers to fraudulently apply for unemployment benefits in someone else’s name is a scam proving especially lucrative for hackers as unemployment numbers continue to soar,” he said. “In other cases, a scam using these driver’s license numbers could look like an email that impersonates the DMV, requesting the person verify their driver’s license number, car registration or insurance information, and then inserting a malicious link or attachment into the email.”
MAPFRE has offered complimentary credit monitoring for a year that includes theft resolution services and $1 million in identity theft insurance. The company has denied the allegations in the complaint and said it will vigorously defend the lawsuit, which it said contains “many inaccuracies,” which it has not specified.
The 46-page complaint alleges seven counts of alleged transgressions including violation of the Drivers’ Privacy Protection Act, negligence, breach of contract, breach of implied contract, unjust enrichment, breach of fiduciary duty, and appeal for injunctive relief.
The suit alleges MAPFRE’s data-security measures remain inadequate even after the recent incident.
“Even if every employee is trained in security best practices, just one accidental click on a malicious link in a legitimate-looking email can open the door to an intruder,” said the recent data breach report from ForgeRock. “Accounts can be taken over, data stolen, and systems brought down. The results can be devastating and far-reaching for the organization, its customers, and other companies it shares data with. Still, from the intruder’s standpoint, it only takes one compromised identity.”
The report said the number of breached records reported in 2022 was actually the lowest in five years having dropped by more than half: 1.5 billion in 2022 as opposed to an average of 3.9 billion over the past four years.
“But looks can be deceiving,” it said, “a closer analysis reveals that while the number of breached records is lower, the records stolen contain more highly sensitive identity data that can result in longer-term damage.”
Attacks targeting organizations through third-party service providers accounted for 52% of all breaches, the report said, illustrating the interconnectedness of identities. Healthcare and education emerged as the most vulnerable industry sectors.
Doug Bailey is a journalist and freelance writer who lives outside of Boston. He can be reached at [email protected].
© Entire contents copyright 2023 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.