New York regulator warns of 'systemic and aggressive' data theft campaign
Advisen
New York regulator warns of 'systemic and aggressive' data theft campaign
By Erin Ayers
On the heels of releasing a cyber risk insurance framework, the New York Department of Financial Services (NYDFS) issued an alert about a “systemic and aggressive” campaign to steal data from public-facing websites.
Hackers appear to be collecting consumer information as part of an ongoing pandemic and unemployment benefits fraud campaign, according to DFS. Regulators cited “instant quote websites” as a key target for cybercriminals to gather nonpublic information (NPI) and warned regulated entities to watch for evidence of hacking.
“Even if that NPI is redacted, hackers have shown that they are adept at stealing the full unredacted NPI. DFS has already received several reports from regulated entities that have detected both successful and unsuccessful versions of these cyberattacks,” said DFS. Two auto insurers alerted the department in December 2020 and January 2021.
“The insurers first noticed this activity because of an unusually high number of abandoned quotes or quotes not pursued after the display of the estimated insurance premium,” said DFS. Criminals would enter a valid name, any date of birth and any address information into the required fields, prompting the quote website to display an estimated premium, along with partial or redacted consumer information including a driver’s license number.
“The attackers captured the full, unredacted driver’s license numbers without going any further in the process and abandoned the quote,” said DFS. State regulators have been able to tie the data theft to fraudulent unemployment claims.
The alert follows the Feb. 4 introduction of a cyber insurance risk framework that advises cyber insurers on their “critical role in mitigating and reducing the risks of cybercrime.” In a circular letter, DFS strongly urged cyber insurers against paying ransomware actors and recommended that cyber policies include a requirement to notify law enforcement. DFS also offered guidelines on measuring silent cyber exposure, systemic risk aggregation, and educating insureds and agents/brokers on cyber risk.
“Many insurers still have work to do to develop a rigorous and data driven approach to cyber risk, and experts have expressed concerns that insurers are not yet able to accurately measure cyber risk … Insurers that don’t effectively measure the risk of their insureds also risk insuring organizations that use cyber insurance as a substitute for improving cybersecurity, and pass the cost of cyber incidents on to the insurer,” said DFS in its letter, adding that absent effective measures, “cyber insurance can therefore have the perverse effect of increasing cyber risk – risk that will be borne by the insurer.”
