Skip to content

Hackers Targeting Insurance Instant Quote Sites

February 22, 2021

The New York Department of Financial Services issued a cybersecurity fraud alert (“Alert”) to all regulated entities, particularly those utilizing public-facing websites that display nonpublic information (“NPI”), even if redacted.  According to the Alert, data thieves have been attacking websites that provide auto insurance and, in so doing, display redacted NPI—for example, a driver’s license number. DFS believes the hackers are using the information to fraudulently apply for pandemic and unemployment benefits.

Data thieves employ a variety of techniques in order to access a consumer’s information, including (i) examining the site’s coding (ii) intercepting and decoding unredacted NPI by using developer debug tools (iii) manipulating the site’s redaction technology to expose unredacted NPI (iv) purchasing a policy with fraudulent payment information, and (v) using social engineering techniques to extract information from insurance agents following up on leads. 

Regardless of the methods employed, companies providing insurance quotes need to be aware of the likelihood that they have been targeted and employ security measures to mitigate their risk of compromising consumer data. The Alert implores insurance companies (and their vendors) across all lines of insurance to examine website analytics and traffic measures for abnormalities such as an unusual number of abandoned quotes in a short timeframe. DFS also urges companies to investigate their server logs for evidence of unauthorized access to NPI. 

The Alert also prescribes preventive and remedial measures for insurance companies, including:

  • Reviewing NPI policies, and only display NPI, whether redacted or not, where there is a compelling reason to do so. 
  • Reviewing security controls such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.
  • Limiting access for third parties using developer tools to modify or manipulate web content.
  • Ensuring that the NPI is obfuscated throughout the entire pathway.
  • Ensuring privacy protections are updated and effectively protect NPI by reviewing who is authorized to see NPI, which applications use NPI, and where NPI resides.
  • Scrubbing public code repositories for proprietary code.
  • Blocking IP addresses of suspected unauthorized users and implement a quote limit per user session.

The Alert outlines some of the ways that insurers generating leads and providing instant quotes may be vulnerable. Its guidance is instructive for all insurance companies regardless of jurisdiction or line of business. However, the notification requirements to regulatory authorities and to consumers following a data breach vary from state to state. Jurisdictions with insurance-specific cybersecurity regulations have generally promulgated regulations substantially similar to either the National Association of Insurance Commissioners Insurance Data Security Model Law or the DFS’s Cybersecurity Regulation (NY Regulation 500). 

Read the full Alert on the DFS website.

Subscribe For The Latest




2024 Cybersecurity and Data Privacy Laws Summit Chicago

This event will include a panel discussion with expert industry leaders, offering a deep dive into the most pressing issues and advancements in AI and data privacy laws. You’ll gain critical knowledge and explore the implications of AI in legal and privacy domains so you can update your practices to reflect the highest standards of data stewardship.

Explore more

WEBINAR: The Race to 2024: Politics and Social Media in the Workplace and Employer Rights.

Over the last several years, employers have seen and continue to see increased political activities from their employees at work and on social media platforms, including on business-related social media platforms, like LinkedIn. Managing employee expression causes unique challenges for employers and HR professionals, and in a General Election year, these challenges are likely to increase as the Presidential race, and other races, heat up.

Explore more

Webinar: A Cookieless Future and Promise of PETs: A Primer on Privacy Enhancing Technologies

This webinar will explore PETs – we will define what they are, what problems PETs exist to address, and emerging PET standards including the National Institute of Standards and Technology (NIST) draft guidance on how to evaluate PET effectiveness. We will provide specific PET use cases and discuss how PETs may be utilized to address the phase out of third party cookies by certain browsers for purposes of targeted advertising.

Explore more