The New York State Department of Financial Services today issued a warning of a "systemic and aggressive campaign to exploit cybersecurity flaws" in websites that provide instant insurance quotes. The department urged all entities that it regulates, if they have instant quote websites, to review them for evidence of hacking.
The alert, which DFS emailed to regulated entities and posted on its website today, said that two auto insurers reported attempts by cybercriminals to steal unredacted driver's license numbers. These insurers off instant quotes for auto insurance on their sites. The New York Cybersecurity Requirements For Financial Services Companies regulation requires "covered entities" to report certain "cybersecurity events" to DFS within 72 hours of determining that they occurred.
Last month, DFS notified a dozen entities that they might be targets of this campaign, after which another six reported suspicious events. Four of those insurers reported that the hackers had successfully stolen private information.
The department said that the campaign was one part of an overall increase in attempts to steal private information, and this appears to be linked to a growth in benefits fraud during the COVID-19 pandemic. New York has implemented enhanced identity requirements for pandemic benefits, and this may explain the search for driver's license numbers.
If you have a public website that displays or transmits consumers' non-public information, DFS suggests that you:
- Review whether it's necessary to display non-public information - even redacted - on the site
- Review the site's security controls
- Review the site for browser web developer tool functionality
- Confirm that any tools for redacting or obfuscating personal information are implemented properly
- Ensure that your privacy protections are up to date and working effectively
- Search and scrub "public code repositories" for proprietary code
- Block the IP addresses of suspected unauthorized users
- Consider limiting the number of quotes a user can obtain in one session.
You may need to consult with the vendor that hosts your website on many of these items.
More information about cybersecurity and the New York regulation are available in the Cybersecurity section of our website.
Also, this is a reminder that all agencies must submit a certification of compliance with the regulation on the DFS website no later than April 15.