New York State Department of Financial Services Warns of New Fraudulent Campaign Targeting Consumer NPI

Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends

On February 16, the New York State Department of Financial Services (DFS) issued a cyber fraud alert, warning of a growing cybercriminal campaign to steal consumer, Nonpublic Information (NPI). The hacked data is being taken from public-facing websites and used to obtain pandemic and unemployment benefits. The first reports of fraud were received in late December 2020, and early January 2021, from automobile insurers, who reported that cybercriminals were stealing unredacted driver's license numbers by hacking their websites' instant insurance premium quote function.

The attacks target public-facing websites that display or transmit consumer NPI, and some hackers have even obtained fully redacted information. Thus far, affected entities have been primarily automobile insurers with "Instant Quote Websites," although any entity with a consumer-facing website utilizing instant quotes is at risk.

Some of the methods used to illegally obtain NPI include:

  • Taking unredacted NPI from websites' Hypertext Markup Language (HTML)
  • Using developer debug tools to intercept and decode unredacted NPI
  • Manipulating website NPI-redaction technology to fully reveal the information

DFS recommends that its regulated entities use data analytics and website traffic metrics to identify suspicious activity such as an unusual number of abandoned quotes in a short time frame or submissions that are terminated as soon as NPI is revealed. Other recommended strategies to prevent attacks include:

  • Reviewing website security controls and browser web developer tool functionality;
  • Properly implementing and ensuring redaction and data obfuscation for NPI throughout the entirety of NPI transmission;
  • Confirming privacy protections are up to date;
  • Reviewing who is authorized to see NPI, which applications use NPI, and where NPI resides;
  • Scrubbing public code repositories for proprietary code;
  • Blocking IP addresses of suspected unauthorized users; and
  • Implementing a quote limit per user session.

In light of recent hacks and the unprecedented surge in benefits fraud seen during the COVID-19 pandemic, DFS recommends that entities refrain from displaying any NPI, even if redacted, to users on public-facing websites unless there is a "compelling reason" to do so.

DFS-regulated entities should identify and resolve any cybersecurity flaws immediately. If an attack does occur, it must be reported pursuant to 23 NYCRR Section 500.17(a) as soon as possible, but within 72 hours at the latest.

Related Content

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends | Attorney Advertising

Written by:


Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.