The New York Department of Financial Services (NYDFS) has issued an alert to instant-quote websites, particularly car insurers, warning of a growing campaign to steal nonpublic information (NPI).
The agency says it learned of the threat after receiving reports from auto insurers that cybercriminals were targeting their premium quote sites to steal driver”s license numbers.
According to the guidance, “the insurers first noticed this activity because of an unusually high number of abandoned quotes or quotes not pursued after the display of the estimated insurance premium. On the Auto Quote Websites, the criminals entered valid name, any date of birth and any address information into the required fields. The Auto Quote Websites then displayed an estimated insurance premium quote along with partial or redacted consumer NPI including a driver”s license number. The attackers captured the full, unredacted driver”s license numbers without going any further in the process and abandoned the quote.”
The NYDFS says its cyber intelligence unit has discovered communications on cybercrime forums offering to sell techniques to access driver”s license numbers from auto insurance websites and step-by-step instructions on how to steal them.
The growing threat is partly attributed to heightened fraud during the COVID-19 pandemic.
“The unauthorized collection of NPI appears to be part of a growing fraud campaign targeting pandemic and unemployment benefits,” the guidance reads.
Targeted entities are instructed to immediately review data analytics and website traffic metrics for spikes of quote requests and server logs for evidence of unauthorized access to NPI to determine whether their sites have been hacked.
NYDFS recommends that instant-quote websites take the following steps when displaying or transmitting NPI:
The NYDFS also provides recommendations to secure data, noting that regulated entities should review whether it is necessary to display any NPI, including redacted NPI.
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsNovember 14, 2024
September 06, 2024