NEW YORK (Reuters) -New York state sued Allstate on Monday, accusing the insurer's National General unit of failing to report a data breach that exposed drivers' license numbers, and lacking reasonable safeguards to protect drivers' private information.

The lawsuit by New York Attorney General Letitia James was filed in a state court in Manhattan.

James said National General's poor data security led to back-to-back breaches in 2020 and 2021, when hackers targeting its online auto insurance quoting tools accessed license numbers of more than 165,000 New Yorkers and 199,000 people overall.

National General allegedly did not notify drivers or New York state agencies about the first breach, which occurred between August and November 2020, and needed three months to uncover the much larger second breach in January 2021.

James said National General violated the state's Stop Hacks and Improve Electronic Data Security Act for failing to protect customer information, and violated state consumer protection laws by misleading customers about its data security practices.

The lawsuit seeks civil fines of $5,000 per violation, plus other remedies.

"National General's weak cybersecurity emboldened hackers to steal New Yorkers' personal data, not once but twice," James said. "It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft."

In a statement, Allstate defended its response to the breaches.

"We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed drivers' license numbers," it said. "We promptly notified regulators, contacted potentially affected consumers and offered free credit monitoring as a precaution."

The Northbrook, Illinois-based insurer bought National General for about $4 billion in January 2021.

In November, James and New York's Department of Financial Services fined Berkshire Hathaway's Geico unit $9.75 million and Travelers $1.55 million over alleged security lapses that compromised drivers' personal information.

(Reporting by Jonathan Stempel in New York; Editing by Mark Porter, Deepa Babington, Bill Berkrot and Marguerita Choy)