On February 16, the NYS Department of Financial Services issued a cybersecurity fraud alert involving public-facing web sites where consumers could request “instant quotes” for car insurance or other products. The alert warned insurers that private information used to prefill requests was being stolen and misused for pandemic unemployment benefits fraud. At the time, they wrote:
DFS first became aware of this cyber campaign when it received reports from two auto insurers in late December 2020 and early January 2021, that cybercriminals were targeting their websites that offer instant online automobile insurance premium quotes (“Auto Quote Websites”) to steal unredacted driver’s license numbers. The insurers first noticed this activity because of an unusually high number of abandoned quotes or quotes not pursued after the display of the estimated insurance premium. On the Auto Quote Websites, the criminals entered valid name, any date of birth and any address information into the required fields. The Auto Quote Websites then displayed an estimated insurance premium quote along with partial or redacted consumer NPI including a driver’s license number. The attackers captured the full, unredacted driver’s license numbers without going any further in the process and abandoned the quote.
In January 2021, DFS alerted approximately a dozen regulated entities maintaining Auto Quote Websites that they were likely targets of hackers looking to gain access to New Yorkers’ NPI, specifically driver’s license numbers. Following that alert, six more insurers reported to DFS the malicious targeting of their Auto Quote Websites. Two of those insurers reported that the attackers failed to gain access to NPI and four reported that the attackers did gain access to NPI or that their investigation was still ongoing. We appreciate the engagement of our regulated entities and their prompt response to our earlier, limited alert.
A copy of the full Alert is available on the DFS website.
But did enough entities learn of the alert and if they did, what did they do, because since that alert, we have seen a number of reports that appear related to it. The remainder of this post identifies a number of insurers who reported breaches of this kind.
As Zack Whittaker reported on TechCrunch, a report was filed in February by Metromile who reported it had fixed a security flaw on its website that allowed a hacker to obtain driver license numbers. DataBreaches.net was subsequently able to discover that 120,000 consumers were notified.
On March 4, Root Insurance notified 73,238 consumers of an incident that had occurred in January, before the alert.
In a March 23 notification to 149,760 consumers, Hagerty Insurance Agency, LLC explained their incident and its relationship to the fraud scheme clearly. Their incident started before the alert, but information in the alert helped them respond to it more effectively. A copy of their notification is embedded at the bottom of this report.
On April 30, Farmers Insurance Exchange and 21st Century Insurance Company notified 54,192 consumers of an incident that began on January 20, before the alert.
As DataBreaches.net previously reported, American Family Mutual Insurance Company, S.I. (American Family) sent 283,734 notifications to people. Their incident began before the February 16 alert, but continued until March 19, 2021.
As this site also reported, Noblr Reciprocal Exchange (Noblr) notified 97,633 consumers after they had experienced a similar attack in January.
GEICO notified consumers in April. Their attack began January 21 and continued to March 1. In a filing to a state regulator, GEICO revealed that it was notifying 131,043 consumers.
And we can add yet more auto insurers to the list of likely targets involved in a massive scheme. Let’s start with State Automobile Mutual Insurance Company who notified an unspecified number of consumers on May 11 about an incident that began on March 11 and that they first detected on March 31.
Also add Midvale Indemnity Company to the list. On May 13, they sent a notification letter to consumers about their incident, which occurred in January. DataBreaches.net does not yet know the number of consumers notified as a result of this incident. You can read their full notification here.
We can also add Alfa Insurance to the list of insurers whose portals were used to steal personal information. A template of their notification letter of May 17, submitted to the Maine Attorney General’s Office, explains:
On February 1, 2021, Alfa was informed by one of its third-party vendors of a new data security threat targeting insurance carriers’ consumer-facing websites. On the same day, Alfa also noticed an abnormally high volume of activity on its online quoting system for automobile insurance. Alfa shut down the online quoting system as a precaution to help prevent further access and engaged a third-party computer forensics expert to help investigate the scope of the incident. That detailed investigation determined that an unknown person may have used personal information acquired elsewhere, such as name and date of birth, to obtain unauthorized access to additional personally identifiable information through Alfa’s online quoting system. ….. Based on our investigation, your name in combination with your Social Security number and drivers’ license number may have been affected by this incident.
Alfa’s vendor alerting them and their quick response shutting down their portal likely saved more consumers from having their data stolen. Alfa sent out notifications to 5,350 consumers this week.
These notifications cited above are conceivably just a drop in the bucket for what went on beginning at the end of last year. Is it still going on? DataBreaches.net does not know, and has reached out to NYS DFS to ask if they have any updated statistics that they can share. But even for the few incidents this site identified where we know numbers, we are looking at more than 900,000 consumers potentially at risk for misuse of their personal information.
Updated May 30:
On May 25, 2021, Infinity Insurance Company notified an unknown number of individuals of another data security incident that occurred between January 7, 2021 and April 4, 2021. Infinity/Kemper were able to determine that the security incident occurred when an unauthorized party used applications, typically used by insurance agents and consumers, to obtain online auto insurance quotes. (source)