DFS Warning of Widespread Data BreachFebruary 18, 2021 | Shari Claire Lewis |
Sometimes a comprehensive overview is needed to recognize that individual anomalous conduct is indicative of a criminal scheme.
Recently, the Department of Financial Services (DFS) looked at an unusual pattern of interaction with multiple insurance websites and concluded that cybercriminals were exploiting data obtained from those website interactions to commit benefit fraud. Website operators of all types should take note of the DFS’ warning and consider whether their websites may also be vulnerable to criminal exploitation.
On February 16, 2021, DFS issued an Industry Letter concerning a “systemic and aggressive campaign to exploit a cybersecurity flaw in public-facing websites to steal Nonpublic Information (NPI).” According to DFS, the campaign’s purpose is to use NPI obtained by hackers to steal pandemic and unemployment benefits. To do so, hackers have been infiltrating public-facing websites that access or transmit NPI. Most frequently, the scheme has been employed on “Instant Quote Websites,” which provide instant quotes for auto or other insurance using the consumer’s NPI and display redacted NPI back to the consumer. DFS’ Letter describes the fraud and notes that the hackers can use several methods to access unredacted consumer NPI.
According to DFS, the scheme is part of an explosive surge in benefits fraud during the pandemic. DFS observed that these concerted efforts to steal NPI from New Yorkers have coincided with the enhanced identity requirements needed to obtain pandemic benefits in New York.
DFS notes that all entities with a public-facing website that displays or transmits redacted or unredacted NPI, such as Instant Quote Websites, are vulnerable to this type of data theft. DFS recommends that entities with Instant Quote Websites take steps such as reviewing data analytics and website traffic for spikes in numbers of abandoned quotes and examine server logs for evidence that there has been unauthorized access to NPI.
DFS also recommends that any entity that maintains a public-facing website that displays or transmits NPI should:
- conduct a thorough review of the website’s security controls;
- review the website’s browser web tool functionality to limit users’ ability to adjust or manipulate the website’s content;
- confirm that redaction and data obfuscation is properly being implemented through its entire transmission;
- ensure that privacy protection measures are up to date and effective to limit review of NPI to those that are authorized to see it;
- search and scrub public code repositories for the entity’s proprietary code;
- block the IP addresses of suspected unauthorized users; and
- limit the number of quotes that a user can request per session.
Although DFS’ warning is aimed at insurers with Instant Quote Websites, other entities may have websites with similar functionality and therefore similar vulnerability. Businesses with functionally similar websites should work with their web managers, cybersecurity team, and legal counsel to determine whether the site has been hacked and if so, how it should be reported. They should also establish practices and procedures to close the vulnerability going forward.
- Shari Claire Lewis