Hackers Nabbed State Employees’ Credit Card and Social Security Numbers

It’s unclear whether the legislature is taking steps to address its security vulnerabilities.

Sam Mellins   ·   August 6, 2024
The New York state Capitol against a wall of code
As legislative leaders remain silent, key questions about an April cyberattack still have no answers. | Illustration: Akash Mehta

An April cyberattack targeting the New York state legislature led to hackers obtaining the sensitive financial information of as many as 710 New Yorkers, according to an incident report obtained by New York Focus through a public records request. It’s unclear whether the legislature is taking any steps to address the security flaws that led to the hackers gaining access.

The attack targeted the Legislative Bill Drafting Commission, an office within the legislative branch that writes up the bills proposed by lawmakers. The hack, which was widely reported on at the time, derailed the bill drafting process and forced the commission’s staff to temporarily revert to an antiquated 1994 computer system as they finalized the state budget, according to Governor Kathy Hochul.

The hackers gaining access to sensitive financial information has not been previously reported.

On the day of the hack, April 17, government officials said they had been told it appeared to be a ransomware attack, a strategy in which hackers block access to certain data until the target pays a sum of money. The hackers, whose identity and methods remain publicly unknown, obtained driver’s license numbers, credit card information, and Social Security numbers, according to the incident report.

Do you work at the Legislative Bill Drafting Commission? We'd love to hear from you about the April cyberattack. Please reach out to sam@nysfocus.com. Your information will not be published without your permission.

The report states that the attack affected 730 individuals, including 710 New York residents. It does not specify how many of those individuals had specific kinds of information compromised.

The hackers may be able to use the information they obtained to attempt identity theft, according to Douglas Jones, emeritus professor of computer science at the University of Iowa.

“This might be enough to open bank accounts, take out loans, and make credit card purchases in the victim’s name,” Jones said.

Legislative leaders have refused to provide any further details about the attack or how they responded to it. The head of the Legislative Bill Drafting Commission, Christopher Higgins, declined to answer questions, instead referring them to Senate Democrats’ communications director, Michael Murphy, who did not respond to multiple requests for comment. Assembly Speaker Carl Heastie’s spokesperson Michael Whyland also did not respond to requests.

When confidential data is hacked, state entities are legally required to inform the Office of Information Technology Services, the state agency responsible for cybersecurity, which is then required to conduct an investigation. But while ITS helped get the computer system back online, there is no indication that the legislature communicated news of the stolen financial data, and the agency has not conducted an investigation into the incident.

“Once the response efforts were completed, the attack contained, and the Budget was successfully delivered, we considered our job to be done,” said Scott Reif, who heads communications for ITS.

“We have not been subsequently informed by the LBDC that specific legal requirements had been met that would trigger additional actions by ITS or any other Executive agencies,” he added.

In April, Hochul promised that her administration would investigate the attack and share the results with the public. That hasn’t happened, possibly because she may not have the authority to conduct an investigation without the legislature’s invitation.

“I have one of the top cybersecurity teams in the entire country. I knew that was a priority. No one will do it better than we do in trying to get to the bottom of this attack,” Hochul said during an interview on WNYC’s The Brian Lehrer Show. “We’ll let people know what we know when we know it.”

It’s unclear whether the legislature has mounted its own investigation.

As legislative leaders remain silent, key questions about the breach still have no answers.

One is whom the attack affected. Fewer than 500 people work for the Bill Drafting Commission, meaning the scope of the attack, which affected 730 people, extended beyond its staff.

Another is whether the attackers made changes to the text of laws or bills, two security experts said. The incident report said that the hackers obtained other nonfinancial information, but did not specify what.

“Any reasonable cybersecurity office would check that the data has not been tampered with,” said Susan Landau, a computer science professor at Tufts University and an expert on cybersecurity. “A minor change could have big implications.”

State agencies have been hacked several other times in recent years, though there’s no evidence financial information was compromised in those cases, and two of the targeted agencies specifically said at the time that hadn’t happened.

The lack of investigation raises questions about the state’s strategy to prevent cyberattacks, said Albert Fox Cahn, founder and director of the Surveillance Technology Oversight Project, a New York-based digital privacy advocacy group.

“We need to understand how the state is investing to prevent this from happening again,” Cahn said. “If you don’t study what went wrong, you’re going to have a much harder time preventing it.”

Last year, Hochul added $35 million to the state’s cybersecurity budget and released a statewide cybersecurity strategy. But the executive branch doesn’t have the authority to set rules for the legislature.

The hack was likely exacerbated by using out-of-date security practices. The fact that hackers both rendered the bill drafting system unusable and were able to access Social Security numbers and financial information indicates that the same system was being used for bill drafting as for payroll — an obvious no-no, said Jones, the Iowa professor.

“You don’t want a careless staffer to open a work-related email and have it clobber the payroll system,” he said. “This kind of separation has been common for 50 years in the corporate world.”

In addition, if the commission was forced to revert to its 1994 computer system, that suggests that it lacked an updated backup version, Landau said.

The attack should serve as a wake-up call to state government, Cahn said.

“This crippled incredibly important infrastructure, and on top of that, it exposed all this confidential information,” he said. “To me it’s very odd that you’re not seeing an expanded response.”

At New York Focus, our central mission is to help readers better understand how New York really works. If you think this article succeeded, please consider supporting our mission and making more stories like this one possible.

New York is an incongruous state. We’re home to fabulous wealth — if the state were a country, it would have the tenth largest economy in the world — but also the highest rate of wealth inequality. We’re among the most diverse – but also the most segregated. We passed the nation’s most ambitious climate law — but haven’t been meeting its deadlines and continue to subsidize industries hastening the climate crisis.

As New York’s only statewide nonprofit news publication, our journalism exists to help you make sense of these contradictions. Our work scrutinizes how power works in the state, unpacks who’s really calling the shots, and reveals how obscure decisions shape ordinary New Yorkers’ lives.

In the last two decades, the number of local news outlets in New York have been nearly slashed in half, allowing elected officials and powerful individuals to increasingly operate in the dark — with the average New Yorker none the wiser.

We’re on a mission to change that. Our work has already shown what can happen when those with power know that someone is watching, with stories that have prompted policy changes and spurred legislation. We have ambitious plans for the rest of the year and beyond, including tackling new beats and more hard-hitting stories — but we need your help to make them a reality.

If you’re able, please consider supporting our journalism with a one-time gift or a monthly gift. We can't do this work without you.

Thank you,

Akash Mehta
Editor-in-Chief
Sam Mellins is senior reporter at New York Focus, which he has been a part of since launch day. His reporting has also appeared in The San Francisco Chronicle, The Intercept, THE CITY, and The Nation. 
Also filed in New York State

Much of Albany’s lawmaking process is controlled by a platoon of mostly young, low-paid employees who craft policy ideas into potential laws. And they’re turning over in droves.

New York Focus traveled across the state to meet with communities about their local news needs.

New York has a little-noticed tool to shift billions of highway dollars to climate-friendly public transit projects. The governor doesn’t seem interested.