Responding to an alert from Big I New York, the New York State Department of Financial Services (DFS) yesterday updated its guidance to financial services companies about a recent wave of cyber fraud. If your agency has a website that enables visitors to obtain instant auto insurance quotes, you should take immediate steps to protect any non-public information collected.
As we reported last month, DFS warned of a "systemic and aggressive campaign to exploit cybersecurity flaws in websites that provide instant insurance quotes." The department's letter provided specific actions companies, including agencies and brokerages, could take to reduce the risk of cyber crime.
On March 9, two Big I New York member agencies contacted us about individuals having received personal auto insurance policies from one particular insurer, when they had not applied for the policies. By March 24, we had heard from three other member agencies about the same occurrence involving other insurers. That day, we sent an email to a DFS attorney to ask whether the department was aware of the problem and what we should tell members. On March 26, the attorney advised that their cybersecurity unit was investigating and that they would publish updated guidance as soon as possible. The result was the letter issued yesterday.
According to the DFS letter, cyber criminals are supplementing the hacking methods reported in the earlier alert with two other methods:
- Web debugging tools for capturing plain-text nonpublic information (NPI) transmitted from data service providers to instant quote websites in certain file formats
- "Credential stuffing" to gain access to insurance agent accounts and use those agent accounts to steal consumer NPI. Credential stuffing is "the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts."
The letter noted, "Cybercriminals are also repeatedly purchasing insurance policies with eChecks and/or stolen credit and debit card information to view policyholders’ (driver's license numbers) and other NPI."
The letter urges insurers, agencies and brokerages with instant quote websites to take several remedial actions, including technology to detect and block bots, preventing NPI from being prefilled on their websites, limiting agent and employee access to NPI only to those who need it to do their jobs, protecting NPI received from vendors, and more. We encourage you to work with your information technology departments or consultants to take these and other protective measures as soon as you can.
Any consumers who discover that fraudulent policies have been issued in their names should contact the issuing insurers immediately and request appropriate corrections. Consumers who may have received auto insurance inquiries from the New York State Department of Motor Vehicles should contact you or their real insurers directly to have corrected notifications sent to the DMV.
Information about how to comply with New York's regulation Cybersecurity Requirements for Financial Services Companies and how to get cybersecurity help is available at www.biginy.org/cyber.