The New York State Department of Financial Services on Tuesday issued a cybersecurity fraud alert describing what it calls “a systemic and aggressive campaign” to steal consumers’ nonpublic information — commonly referred to as NPI — from public-facing websites that transmit or display redacted NPI.

DFS reported that it has received reports from several regulated entities of successful or attempted data theft from websites that provide instant quotes – for example, auto insurance rate quotes – using consumer NPI and displaying some redacted NPI back to the consumer. The goal of this theft appears to be to use the stolen NPI to fraudulently apply for pandemic and unemployment benefits, according to DFS.

The alert summarizes techniques used by cybercriminals and outlines cybersecurity measures to help better protect consumer data.  All DFS-regulated entities with public-facing websites that transmit or display NPI – even redacted NPI – should review the findings and recommendations set forth in the alert, according to DFS. Credit unions should report to DFS theft of consumers’ NPI, pursuant to its cybersecurity regulation.

The cybersecurity fraud alert can be accessed on the DFS website.