The New York Treasury Division points cyber fraud alerts to regulated firms by fraud web sites
On February 16, 2021, the New York Department of the Treasury (“NYDFS”) issued a Cyber Fraud Alert (the “Alert”) to regulated companies in the face of a growing nonpublic information theft (“NPI”) campaign, as defined by New York law of publicly available websites that provide instant offers on products such as auto insurance (“Instant Quote Websites”). NYDFS learned of the threat after receiving reports from auto insurers that cybercriminals were targeting their premium listing sites to steal driver’s license numbers. NYDFS attributes the increased threat activity in part to increased fraud during the COVID-19 pandemic. As previously reported, the NYDFS issued cybersecurity guidelines during the April 2020 pandemic.
The alert (1) calls on all regulated companies with publicly accessible websites to fix security gaps immediately. (2) Reminds regulated entities to report cybersecurity events as soon as possible and no later than 72 hours in accordance with New York’s cybersecurity requirements for financial services companies; and (3) requests that attempted theft of NPI from publicly accessible locations be reported immediately to NYDFS.
The alert provides additional information on detecting data theft and states that all regulated companies using Instant Quote websites immediately (1) analyze data and website traffic metrics on spikes of requests for quotation and (2) server logs for indications of unauthorized access to NPI should check to see if their websites have been hacked.
Finally, the alert contains recommendations for securing data, noting that (1) regulated entities should check whether an NPI (also known as redacted NPI) should be displayed and (2) NPI should not be displayed on publicly accessible websites, unless there is a compelling reason to do so. NYDFS recommended steps for companies that have publicly accessible websites that display or broadcast NPIs include:
- Perform a thorough review of security controls, including SSL, TLS, HSTS, and HTML configurations;
- Review and, where possible, restrict the access users need to edit website content using web developer tools;
- Confirmation that data editing and obfuscation solutions for NPI are properly implemented;
- Ensure that data protection regulations are up-to-date and adequately protect NPI by verifying who can view it;
- Searching and cleaning up public code repositories for proprietary code; and
- Block the IP addresses of suspicious unauthorized users and take into account offer restrictions per user session.