Hackers Targeting Insurance Instant Quote Sites

Clark Hill PLC

The New York Department of Financial Services issued a cybersecurity fraud alert (“Alert”) to all regulated entities, particularly those utilizing public-facing websites that display nonpublic information (“NPI”), even if redacted.  According to the Alert, data thieves have been attacking websites that provide auto insurance and, in so doing, display redacted NPI—for example, a driver’s license number. DFS believes the hackers are using the information to fraudulently apply for pandemic and unemployment benefits.

Data thieves employ a variety of techniques in order to access a consumer’s information, including (i) examining the site’s coding (ii) intercepting and decoding unredacted NPI by using developer debug tools (iii) manipulating the site’s redaction technology to expose unredacted NPI (iv) purchasing a policy with fraudulent payment information, and (v) using social engineering techniques to extract information from insurance agents following up on leads. 

Regardless of the methods employed, companies providing insurance quotes need to be aware of the likelihood that they have been targeted and employ security measures to mitigate their risk of compromising consumer data. The Alert implores insurance companies (and their vendors) across all lines of insurance to examine website analytics and traffic measures for abnormalities such as an unusual number of abandoned quotes in a short timeframe. DFS also urges companies to investigate their server logs for evidence of unauthorized access to NPI. 

The Alert also prescribes preventive and remedial measures for insurance companies, including:

  • Reviewing NPI policies, and only display NPI, whether redacted or not, where there is a compelling reason to do so. 
  • Reviewing security controls such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.
  • Limiting access for third parties using developer tools to modify or manipulate web content.
  • Ensuring that the NPI is obfuscated throughout the entire pathway.
  • Ensuring privacy protections are updated and effectively protect NPI by reviewing who is authorized to see NPI, which applications use NPI, and where NPI resides.
  • Scrubbing public code repositories for proprietary code.
  • Blocking IP addresses of suspected unauthorized users and implement a quote limit per user session.

The Alert outlines some of the ways that insurers generating leads and providing instant quotes may be vulnerable. Its guidance is instructive for all insurance companies regardless of jurisdiction or line of business. However, the notification requirements to regulatory authorities and to consumers following a data breach vary from state to state. Jurisdictions with insurance-specific cybersecurity regulations have generally promulgated regulations substantially similar to either the National Association of Insurance Commissioners Insurance Data Security Model Law or the DFS’s Cybersecurity Regulation (NY Regulation 500). 

Read the full Alert on the DFS website.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.