A few days ago, the Department of Financial Services (DFS) looked at an unusual pattern of interaction with multiple insurance websites and concluded that cybercriminals were exploiting data obtained from those website interactions to commit fraud. Website operators of all types should take note of the DFS’ warning and consider whether their websites may also be vulnerable to criminal exploitation.
On February 16, The Department of Financial Services presented an Industry Letter concerning a “systemic and aggressive campaign to exploit a cybersecurity flaw in public-facing websites to steal Nonpublic Information (NPI).” According to DFS, the campaign’s purpose is to use NPI obtained by hackers to steal pandemic and unemployment benefits.
To do so, hackers have been infiltrating public-facing websites that access or transmit NPI. Most frequently, the scheme has been employed on “Instant Quote Websites,” which provide instant quotes for auto or other insurance using the consumer’s NPI and display redacted NPI back to the consumer.
In addition to car insurance, criminals are targeting a broad range of public-facing websites that utilize instant quotes, the regulator said in Tuesday’s alert. The alert noted that hackers had even found a way to steal information that had been fully redacted.
According to DFS release, the scheme is part of an explosive surge in benefits fraud during the pandemic. DFS observed that these concerted efforts to steal NPI from New Yorkers have coincided with the enhanced identity requirements needed to obtain pandemic benefits in New York.
The DFS explains that all companies with a public-facing website that displays or transmits redacted or unredacted NPI, such as Instant Quote Websites, are vulnerable to this type of data theft. DFS recommends that entities with Instant Quote Websites take steps such as reviewing data analytics and website traffic for spikes in numbers of abandoned quotes and examine server logs for evidence that there has been unauthorized access to NPI.
The DFS also suggests that any entity that maintains a public-facing website that displays or transmits NPI should:
- conduct a review of the website’s security controls
- review the website’s browser web tool functionality to limit users’ ability to adjust or manipulate the website’s content
- confirm that redaction and data obfuscation is properly being implemented through its entire transmission
- ensure that privacy protection measures are up to date and effective to limit review of NPI to those that are authorized to see it
- block the IP addresses of suspected unauthorized users
- limit the number of quotes that a user can request per session.
“Cyber criminals are creative and tenacious, and continue to look for new ways to exploit us during an already vulnerable time,” said Linda A. Lacewell, superintendent of DFS. “DFS expects the industry to protect consumer data by addressing cybersecurity risks in everything they do.”