The Alert describes a widespread cybercrime campaign to steal consumers’ nonpublic information (“NPI”) from public-facing websites that transmit or display redacted NPI.

DFS has received reports from several regulated entities of successful or attempted data theft from websites that provide instant quotes – for example, auto insurance rate quotes – using consumer NPI and displaying some redacted NPI back to the consumer. The goal of this theft appears to be to use the stolen NPI to fraudulently apply for pandemic and unemployment benefits.

“Cyber criminals are creative and tenacious, and continue to look for new ways to exploit us during an already vulnerable time,” said Superintendent of Financial Services Linda A. Lacewell. “DFS expects the industry to protect consumer data by addressing cybersecurity risks in everything they do."

Several incidents reported by regulated entities and information gathered by DFS’s Cyber Intelligence Unit show that this cybercrime campaign is targeting a broad range of public-facing websites. The Alert summarizes techniques used by cybercriminals and outlines cybersecurity measures to better protect consumer data. All DFS-regulated entities with public-facing websites that transmit or display NPI – even redacted NPI – should review the findings and recommendations set forth in the Alert.

DFS reminds its regulated entities to immediately report to DFS theft of consumers’ NPI, pursuant to its cybersecurity regulation.

The Alert furthers DFS’s commitment to improving cybersecurity to protect consumers and the industry. Recently, DFS issued its first-in-the-nation Cybersecurity Insurance Framework, building on DFS’s longstanding work fostering a strong and resilient insurance market that protects New Yorkers. DFS’s first-in-the-nation Cybersecurity Regulation took effect in March 2017. In 2019, DFS was also the first financial services regulator to create a Cybersecurity Division to oversee all aspects of its cybersecurity regulation and policy.