A South Hadley man last week filed what he hopes will be a class action against Mapfre USA over the way hackers obtained personal information for Massachusetts drivers from its get-a-quote Web site.
In his suit, filed in US District Court in Boston, Brian Conway argues Mapfre - and its subsidiary, Commerce Insurance - had more than ample advance warning that the auto-populate function on the site was an info thief's dream, because it let somebody type in some of a driver's personal information, such as their address and birth date, and get back far more information in auto-filled form fields, including driver's license IDs, make and models of cars and VINs.
Following the Data Disclosure, Plaintiff Conway experienced an approximately $400.00 fraudulent charge on his Mastercard. This fraud occurred after MAPFRE's Data Disclosure. This fraud and identity theft is temporally and logically connected to the data derived from MAPFRE's Data Disclosure in the same way that data breach and other privacy cases have found to be "fairly traceable." MAPFRE disclosed Plaintiff Conway's driver's license number and, potentially, other personal information, shortly before he experienced the fraud.
Conway continues that the insurers knew there were ways to block the release of a person's information but refused to do that to make it easier to drum up business in a post-pandemic world in which would-be customers continued to be more likely to seek insurance online rather than in person or on the phone.
Since their Data Disclosure, Defendants have confirmed few changes to their decision to disclose the PI, their data security infrastructure, processes, or procedures to fix the vulnerabilities in their computer systems or online sales system.
In addition to being named lead plaintiff in a class-action suit, Conway is seeking an order requiring Mapfre and Commerce to fix all their online holes and stop letting data thieves suck informaiton out of their quoting sites plus, of course, suitable damages and attorneys' fees.