Progressive Insurance Company CyberSecurity Posture
progressive.com
Every journey has a beginning, and wherever you are on your career path, we want to help you along the way. At Progressive, we exist to help people move forward and live fully. We strive to create a welcoming and flexible work environment for everyone, where employees are encouraged to risk, learn, and grow. With our supportive culture, work-life balance, and one of the largest contemporary art collections in the country, there’s a reason we’ve been named one of the best places to work. For over 80 years, Progressive has offered customers a wide range of insurance choices, including auto, home, renters, commercial auto, small business, motorcycle, boat policies, and more. Progressive is the second largest auto insurer in the country—a combined effort of every single person at Progressive. We’re a dynamic group of more than 65,000 talented employees—from all walks of life, all fields of business, and all 50 states. Everyone here plays a role in our success as we continue to help our customers move forward and live fully. With hundreds of career paths including Claims, Customer Care, Sales, Marketing, Legal, IT, Data Analysis, and more, you are sure to find the destination for your career at Progressive.
Company Details
progressive-insurance
43,679
282,640
524
progressive.com
1670
PRO_2300011
Completed
Progressive Insurance Risk Score (AI oriented)Between 600 and 649
Progressive Insurance Global Score (TPRM)XXXX
Description: Hackers exploited vulnerabilities in an online quote tool used by Progressive Corporation (and other auto insurers) to steal driver’s license numbers and other personal information of over **825,000 New York residents**. The stolen data was subsequently used to file **fraudulent unemployment claims** during the COVID-19 pandemic, leading to financial losses and reputational damage. The breach resulted from inadequate security measures, prompting New York’s Attorney General to impose a **$14.2 million settlement** (part of a larger $20.79 million recovery from 10 insurers). The incident highlights systemic failures in safeguarding sensitive customer data, exposing victims to identity theft and financial fraud. While no direct ransomware was involved, the exploitation of vulnerabilities enabled large-scale data theft with tangible financial consequences for affected individuals and the company.
Description: The Maine Office of the Attorney General disclosed a data breach at Progressive Northwestern Insurance Company, where an employee fraudulently used another individual’s identity to gain employment. Between **October 26, 2023, and April 19, 2024**, the imposter accessed sensitive customer data, including **driver’s license numbers, Social Security numbers, payment card details, and financial account information**. The breach impacted **14 Maine residents**, exposing them to potential identity theft and financial fraud. In response, Progressive is providing **two years of free credit monitoring and identity theft restoration services** via Kroll to mitigate risks. The incident highlights internal security failures, as the misuse of credentials went undetected for nearly six months, allowing unauthorized access to highly confidential customer records. The compromised data could facilitate fraudulent activities, financial losses, or long-term reputational damage for affected individuals and the company.
Progressive Insurance has 49.25% more incidents than the average of same-industry companies with at least one recorded incident.
Progressive Insurance has 56.25% more incidents than the average of all companies with at least one recorded incident.
Progressive Insurance reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.
Progressive Insurance cyber incidents detection timeline including parent company and subsidiaries
Every journey has a beginning, and wherever you are on your career path, we want to help you along the way. At Progressive, we exist to help people move forward and live fully. We strive to create a welcoming and flexible work environment for everyone, where employees are encouraged to risk, learn, and grow. With our supportive culture, work-life balance, and one of the largest contemporary art collections in the country, there’s a reason we’ve been named one of the best places to work. For over 80 years, Progressive has offered customers a wide range of insurance choices, including auto, home, renters, commercial auto, small business, motorcycle, boat policies, and more. Progressive is the second largest auto insurer in the country—a combined effort of every single person at Progressive. We’re a dynamic group of more than 65,000 talented employees—from all walks of life, all fields of business, and all 50 states. Everyone here plays a role in our success as we continue to help our customers move forward and live fully. With hundreds of career paths including Claims, Customer Care, Sales, Marketing, Legal, IT, Data Analysis, and more, you are sure to find the destination for your career at Progressive.
At Allstate, we're advocates for peace of mind and a good life. And that comes through in everything we do. From building innovative teams that truly understand our customers' needs, to challenging each other to develop our careers in a meaningful way, and finally to the incredible results we're a
Star Health & Allied Insurance Co. Ltd. is an Indian health insurance company headquartered in Chennai. They began their operations in 2006 as India's first standalone Health Insurance provider. They offer innovative products in the health, personal accident and overseas & domestic travel insurance.
Zurich Insurance Group (Zurich) is a leading global multi-line insurer founded more than 150 years ago, which has grown into a business serving more than 75 million customers in more than 200 countries and territories, while delivering industry-leading total shareholder returns. Our customers includ
At Liberty Mutual, we believe progress happens when people feel secure. For more than 110 years we have helped people and businesses embrace today and confidently pursue tomorrow by providing protection for the unexpected and delivering it with care. A Fortune 100 company with more than 40,000 e
As one of the largest global insurers, our purpose is to act for human progress by protecting what matters. Protection has always been at the core of our business, helping individuals, businesses and societies to thrive. And AXA has always been a leader, an innovator, an entrepreneurial company, fo
Marsh McLennan Agency (MMA) provides business insurance, employee health & benefits, retirement & wealth, and private client insurance solutions to organizations and individuals seeking limitless possibilities. With over 15,000+ colleagues and 300+ offices across the United States and Canada, MMA co
Over 50 Million people worldwide have chosen Aflac because of our commitment to providing customers with the confidence that comes from knowing they have assistance in being prepared for whatever life may bring. With Aflac, whether you're a large business or a small one, you can provide your emplo
GEICO (Government Employees Insurance Company) offers a variety of insurance such as vehicle, property, business, life, umbrella, travel, pet, jewelry and more. The company, which was founded in 1936, is the third-largest auto insurer in the United States and insures vehicles in all 50 states an
China Pacific Life Insurance Co., Ltd (CPIC Life in short) was formed on the basis of life insurance business of China Pacific Insurance Co., Ltd., which was founded on May 13th 1991, and is held by CPIC Group. The company was incorporated in November 11, 2001, headquartered in Shanghai and register
.png)
The Eleventh Circuit has affirmed a win for Progressive Insurance in a bad faith dispute after finding that the trial court did not err in...
November 18, 2025 - Mayfield Village, OH, and Cambridge, MA - Progressive Insurance and Cambridge Mobile Telematics , the world's largest...
TALLAHASSEE, Florida — One of Florida's largest auto insurers plans to hand back nearly $1 billion to customers by early 2026 after the...
Security failures exposed consumers' personal data collected through insurers' online apps and agent portals used to deliver online auto...
Progressive Corp reported a rise in third-quarter profit on Wednesday, helped by strong demand for its auto insurance policies.
October is Cyber Security Awareness Month, and the Australian Government has identified three critical basic areas for focus.
See Forbes Advisor's Progressive car insurance review to find out about Progressive's coverage offerings, complaint level and average auto...
HTF MI just released the Global Progressive Insurance Market Study, a comprehensive analysis of the market that spans more than 143+ pages...
When Warren Buffett praises your strategy—even as the owner of rival Geico—it's tempting to take a victory lap. Progressive CEO Tricia Griffith resists.
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
The official website of Progressive Insurance is https://careers.progressive.com/.
According to Rankiteo, Progressive Insurance’s AI-generated cybersecurity score is 639, reflecting their Poor security posture.
According to Rankiteo, Progressive Insurance currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
According to Rankiteo, Progressive Insurance is not certified under SOC 2 Type 1.
According to Rankiteo, Progressive Insurance does not hold a SOC 2 Type 2 certification.
According to Rankiteo, Progressive Insurance is not listed as GDPR compliant.
According to Rankiteo, Progressive Insurance does not currently maintain PCI DSS compliance.
According to Rankiteo, Progressive Insurance is not compliant with HIPAA regulations.
According to Rankiteo,Progressive Insurance is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Progressive Insurance operates primarily in the Insurance industry.
Progressive Insurance employs approximately 43,679 people worldwide.
Progressive Insurance presently has no subsidiaries across any sectors.
Progressive Insurance’s official LinkedIn profile has approximately 282,640 followers.
Progressive Insurance is classified under the NAICS code 524, which corresponds to Insurance Carriers and Related Activities.
No, Progressive Insurance does not have a profile on Crunchbase.
Yes, Progressive Insurance maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/progressive-insurance.
As of November 27, 2025, Rankiteo reports that Progressive Insurance has experienced 2 cybersecurity incidents.
Progressive Insurance has an estimated 14,859 peer or competitor companies worldwide.
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
Total Financial Loss: The total financial loss from these incidents is estimated to be $14.20 million.
Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with likely (given public disclosure and remediation offers), and third party assistance with kroll (for credit monitoring and identity theft restoration), and remediation measures with offering 2 years of free credit monitoring, remediation measures with providing identity theft restoration services via kroll, and communication strategy with public disclosure via maine office of the attorney general, and law enforcement notified with yes (new york state attorney general’s office investigation)..
Title: Data Breach at United Financial Casualty Company and Progressive Northwestern Insurance Company
Description: An employee misused someone else's identity to obtain employment and gained unauthorized access to sensitive customer information, including driver’s license numbers, Social Security numbers, payment card numbers, and financial account numbers. Fourteen Maine residents were affected.
Date Publicly Disclosed: 2024-06-07
Type: Data Breach (Insider Threat / Identity Misuse)
Attack Vector: Insider Threat (Fraudulent Employment via Identity Theft)
Vulnerability Exploited: Lack of robust identity verification during hiring process
Threat Actor: Malicious Insider (Employee using stolen identity)
Motivation: Unauthorized access to sensitive data (potential financial gain or fraud)
Title: Auto Insurance Companies Data Breach Leading to Fraudulent Unemployment Claims
Description: Hackers exploited vulnerabilities in quote tools used by auto insurance companies to steal driver’s license numbers. Some of the stolen data was used to file fraudulent unemployment claims during the COVID-19 pandemic. New York State Attorney General Letitia James secured $14.2 million in settlements from eight companies, bringing the total recovered to $20.79 million from 10 insurers for data security failures.
Date Publicly Disclosed: 2023-11-07T00:00:00Z
Type: data breach
Attack Vector: exploitation of quote tool vulnerabilitiesunauthorized access
Vulnerability Exploited: Vulnerabilities in online quote tools
Motivation: financial gainfraud (unemployment claims)
Common Attack Types: The most common types of attacks the company has faced is Breach.
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Fraudulent employment using stolen identity and Vulnerabilities in quote tools.
Data Compromised: Driver’s license numbers, Social security numbers, Payment card numbers, Financial account numbers
Brand Reputation Impact: Potential reputational damage due to insider breach and identity theft
Identity Theft Risk: High (SSNs, financial data exposed)
Payment Information Risk: High (payment card numbers exposed)
Financial Loss: $14.2 million (settlements from 8 companies); $20.79 million total from 10 insurers
Data Compromised: Driver’s license numbers
Systems Affected: online quote tools
Brand Reputation Impact: High (due to fraudulent use of stolen data and regulatory action)
Legal Liabilities: $14.2 million in settlements (8 companies); $20.79 million total (10 insurers)
Identity Theft Risk: High (driver’s license numbers used for fraudulent unemployment claims)
Average Financial Loss: The average financial loss per incident is $7.10 million.
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personally Identifiable Information (Pii), Financial Data, , Driver’S License Numbers and .
Entity Name: United Financial Casualty Company
Entity Type: Insurance Company
Industry: Insurance
Location: USA (Maine residents affected)
Customers Affected: 14 (Maine residents)
Entity Name: Progressive Northwestern Insurance Company
Entity Type: Insurance Company
Industry: Insurance
Location: USA (Maine residents affected)
Customers Affected: 14 (Maine residents)
Entity Type: auto insurance companies
Industry: insurance
Location: New York State, USA
Customers Affected: 825,000+ residents
Incident Response Plan Activated: Likely (given public disclosure and remediation offers)
Third Party Assistance: Kroll (for credit monitoring and identity theft restoration)
Remediation Measures: Offering 2 years of free credit monitoringProviding identity theft restoration services via Kroll
Communication Strategy: Public disclosure via Maine Office of the Attorney General
Law Enforcement Notified: Yes (New York State Attorney General’s office investigation)
Incident Response Plan: The company's incident response plan is described as Likely (given public disclosure and remediation offers).
Third-Party Assistance: The company involves third-party assistance in incident response through Kroll (for credit monitoring and identity theft restoration).
Type of Data Compromised: Personally identifiable information (pii), Financial data
Number of Records Exposed: 14 (Maine residents)
Sensitivity of Data: High (SSNs, financial account numbers, driver’s license numbers)
Data Exfiltration: Likely (employee had access to data)
Personally Identifiable Information: Social Security numbersDriver’s license numbersPayment card numbersFinancial account numbers
Type of Data Compromised: Driver’s license numbers
Number of Records Exposed: 825,000+
Sensitivity of Data: High (personally identifiable information)
Data Exfiltration: Yes
Personally Identifiable Information: Yes (driver’s license numbers)
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Offering 2 years of free credit monitoring, Providing identity theft restoration services via Kroll, .
Regulatory Notifications: Maine Office of the Attorney General
Regulations Violated: New York State data protection laws (implied),
Fines Imposed: $14.2 million (8 companies); $20.79 million total (10 insurers)
Legal Actions: Settlements secured by New York State Attorney General
Regulatory Notifications: Yes (public disclosure by Attorney General’s office)
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Settlements secured by New York State Attorney General.
Source: Maine Office of the Attorney General
Date Accessed: 2024-06-07
Source: New York State Attorney General Press Release
Date Accessed: 2023-11-07
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Maine Office of the Attorney GeneralDate Accessed: 2024-06-07, and Source: New York State Attorney General Press ReleaseDate Accessed: 2023-11-07.
Investigation Status: Disclosed (ongoing or completed not specified)
Investigation Status: Completed (settlements reached)
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public disclosure via Maine Office of the Attorney General.
Customer Advisories: Offer of 2 years free credit monitoring and identity theft restoration via Kroll
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: was Offer of 2 years free credit monitoring and identity theft restoration via Kroll.
Entry Point: Fraudulent employment using stolen identity
High Value Targets: Customer PII and financial data
Data Sold on Dark Web: Customer PII and financial data
Entry Point: Vulnerabilities in quote tools
High Value Targets: Driver’S License Numbers,
Data Sold on Dark Web: Driver’S License Numbers,
Root Causes: Insufficient Identity Verification During Hiring, Lack Of Monitoring For Insider Threats,
Root Causes: Inadequate Security Measures In Online Quote Tools,
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Kroll (for credit monitoring and identity theft restoration).
Last Attacking Group: The attacking group in the last incident was an Malicious Insider (Employee using stolen identity).
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-11-07T00:00:00Z.
Highest Financial Loss: The highest financial loss from an incident was $14.2 million (settlements from 8 companies); $20.79 million total from 10 insurers.
Most Significant Data Compromised: The most significant data compromised in an incident were Driver’s license numbers, Social Security numbers, Payment card numbers, Financial account numbers, , driver’s license numbers and .
Most Significant System Affected: The most significant system affected in an incident was online quote tools.
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Kroll (for credit monitoring and identity theft restoration).
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Payment card numbers, Financial account numbers, Social Security numbers, driver’s license numbers and Driver’s license numbers.
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 825.0K.
Highest Fine Imposed: The highest fine imposed for a regulatory violation was $14.2 million (8 companies); $20.79 million total (10 insurers).
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Settlements secured by New York State Attorney General.
Most Recent Source: The most recent source of information about an incident are New York State Attorney General Press Release and Maine Office of the Attorney General.
Current Status of Most Recent Investigation: The current status of the most recent investigation is Disclosed (ongoing or completed not specified).
Most Recent Customer Advisory: The most recent customer advisory issued was an Offer of 2 years free credit monitoring and identity theft restoration via Kroll.
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Vulnerabilities in quote tools and Fraudulent employment using stolen identity.
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Insufficient identity verification during hiringLack of monitoring for insider threats, Inadequate security measures in online quote tools.
.png)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Get company history
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rapid