The New York Department of Financial Services issued a cybersecurity fraud alert (“Alert”) to all regulated entities, particularly those utilizing public-facing websites that display nonpublic information (“NPI”), even if redacted. According to the Alert, data thieves have been attacking websites that provide auto insurance and, in so doing, display redacted NPI—for example, a driver’s license number. DFS believes the hackers are using the information to fraudulently apply for pandemic and unemployment benefits.
Data thieves employ a variety of techniques in order to access a consumer’s information, including (i) examining the site’s coding (ii) intercepting and decoding unredacted NPI by using developer debug tools (iii) manipulating the site’s redaction technology to expose unredacted NPI (iv) purchasing a policy with fraudulent payment information, and (v) using social engineering techniques to extract information from insurance agents following up on leads.
Regardless of the methods employed, companies providing insurance quotes need to be aware of the likelihood that they have been targeted and employ security measures to mitigate their risk of compromising consumer data. The Alert implores insurance companies (and their vendors) across all lines of insurance to examine website analytics and traffic measures for abnormalities such as an unusual number of abandoned quotes in a short timeframe. DFS also urges companies to investigate their server logs for evidence of unauthorized access to NPI.
The Alert also prescribes preventive and remedial measures for insurance companies, including:
- Reviewing NPI policies, and only display NPI, whether redacted or not, where there is a compelling reason to do so.
- Reviewing security controls such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.
- Limiting access for third parties using developer tools to modify or manipulate web content.
- Ensuring that the NPI is obfuscated throughout the entire pathway.
- Ensuring privacy protections are updated and effectively protect NPI by reviewing who is authorized to see NPI, which applications use NPI, and where NPI resides.
- Scrubbing public code repositories for proprietary code.
- Blocking IP addresses of suspected unauthorized users and implement a quote limit per user session.
The Alert outlines some of the ways that insurers generating leads and providing instant quotes may be vulnerable. Its guidance is instructive for all insurance companies regardless of jurisdiction or line of business. However, the notification requirements to regulatory authorities and to consumers following a data breach vary from state to state. Jurisdictions with insurance-specific cybersecurity regulations have generally promulgated regulations substantially similar to either the National Association of Insurance Commissioners Insurance Data Security Model Law or the DFS’s Cybersecurity Regulation (NY Regulation 500).
Read the full Alert on the DFS website.