A new class action lawsuit filed last week alleges MAPFRE U.S.A. Corp. and its subsidiary, The Commerce Insurance Company (MAPFRE), improperly allowed the disclosure of insureds’ personal data, including driver’s license numbers, through a vulnerability in the insurers’ online quoting system. This is the second class-action lawsuit against MAPFRE over a July data breach, allowing the theft of hundreds of thousands of insureds’ personal information, including driver’s license numbers.
The suit alleges MAPFRE’s ‘Auto-populate’ quoting system allowed access for cybercriminals to harvest driver’s licenses
Filed in Massachusetts federal court, the lawsuit accuses MAPFRE of exploiting customers’ personal information for competitive gain at the expense of privacy rights. It claims the insurer’s website auto-populated insurance quote requests with driver’s license numbers and other data when a user entered basic public information like name and address.
The system allegedly did not verify the user was the person being quoted or protect against bots harvesting the data. This system flaw purportedly allowed identity thieves to easily obtain hundreds of thousands of MAPFRE’s customers’ protected personal information.
MAPFRE sent statutory data breach notices in August to its insureds
According to the complaint, MAPFRE sent data breach notices in August acknowledging unauthorized third parties accessed driver’s licenses and vehicle data through its Massachusetts online quoting platform between July 1 and 2. The notice did not state when the company first became aware of the vulnerability.
The Plaintiff alleges credit card fraud caused by the MAPFRE breach
The suit’s Plaintiff, Brian Conway of South Hadley, alleges he received a MAPFRE breach notice stating his driver’s license number was compromised. He claims to have already experienced credit card fraud following the breach, allowing access to his license information.
Claim of MAPFRE violating the federal Driver’s Privacy Protection Act
The suit accuses MAPFRE of violating the federal Driver’s Privacy Protection Act (DPPA) by knowingly disclosing protected license data without a permitted purpose under the law. It also alleges negligence for failing to safeguard customers’ personal information adequately.
Beyond actual and statutory damages under the DPPA, the complaint seeks declaratory and injunctive relief, forcing MAPFRE to implement more robust security practices around customer data.
These practices would include barring the insurer from disclosing personal data on public-facing websites, conducting periodic security audits, and training employees on risks surrounding the disclosure of an insured’s personal information.
[For a summary of how DPPA applies to agencies and insurers, see Agency Checklists, June 2, 2015, “Watch Out For Agency’s Liability Under The Driver Privacy Protection Act.”]
The lawsuit seeks class-action status.
The Conway suit seeks national class action to cover all MAPFRE customers affected by MAPFRE’s data breach, while a separate Massachusetts class would represent state residents affected.
The suit alleges MAPFRE’s quoting system lacked safeguards to prevent data harvesting
APFRE has marketed itself as the 19th largest private auto insurer in the U.S. and heavily utilizes direct online and phone sales. The lawsuit alleges the company added the automatic population of license numbers to gain a competitive edge in selling policies.
The complaint claims MAPFRE configured the system to provide license data to anyone—including bots—to reduce quoting time and speed up the sales process. This program, however, purportedly lacked safeguards to verify users or block automated data harvesting.
Driver’s license a major target for cybercriminal data harvesting
Cybersecurity experts note driver’s license numbers are especially attractive targets for fraudsters. The information can facilitate identity theft and be used to manufacture fake IDs, open accounts, or file for unemployment benefits.
The targeting of online quoting systems identified in 2021
Per the complaint, the New York Department of Financial Services warned in 2021 in an alert about an aggressive campaign targeting insurers’ auto quote sites to steal license data and perpetrate unemployment fraud. The complaint alleges MAPFRE ignored these risks in exploiting customers’ information.
While MAPFRE stated it quickly suspended the affected website once aware of the issue, the lawsuit alleges MAPFRE was negligent in allowing such an open vulnerability to exist at all.
The Conway suit is the second data breach class action filed in a week against MAPFRE
Mr. Conway’s class action suit filed over MAPFRE’s data breach is the second lawsuit filed in a week against MAPFRE over the July 1 and 2 data breach.
Two plaintiffs, Richard Ma and Fred Devereaux, filed the first class action suit against MAPFRE over this data breach on September 6, 2023, in the United States District Court in Boston. Their lawsuit seeks to represent a nationwide class consisting of:
“All persons whose personal information was accessed, compromised, copied, stolen, and/or exposed as a result of the MAPFRE (and any of MAPFRE’s affiliates) Data Breach.”
In both actions, MAPFRE will have sixty days to respond if it accepts service of the complaints.
Agency Checklists will keep you posted.