The Department of Financial Services (“DFS”) recently learned of a systemic and aggressive campaign to exploit cybersecurity flaws in public-facing websites to steal Nonpublic Information (NPI). The unauthorized collection of NPI appears to be part of a growing fraud campaign targeting pandemic and unemployment benefits. Specifically, the hacks are focused on stealing NPI from public-facing websites that display or transmit consumer NPI. This includes websites that provide an instant quote such as an auto insurance rate using the consumers’ NPI and displaying redacted NPI back to the consumer, such as a redacted driver’s license number (“Instant Quote Websites”).
DFS urges all regulated entities with Instant Quote Websites to immediately review those websites for evidence of hacking. Even if that NPI is redacted, hackers have shown that they are adept at stealing the full unredacted NPI. DFS has already received several reports from regulated entities that have detected both successful and unsuccessful versions of these cyber-attacks. An overview of hacking techniques seen to date is described below, as well as certain indicators of compromise (“IOCs”) that can signal that an attack has occurred.