Skip to content
New York State

Hackers Nabbed State Employees’ Credit Card and Social Security Numbers

It’s unclear whether the legislature is taking steps to address its security vulnerabilities.

Sam Mellins   ·   August 6, 2024
The New York state Capitol against a wall of code
As legislative leaders remain silent, key questions about an April cyberattack still have no answers. | Illustration: Akash Mehta
Stay Focused
Sign up for our free newsletter, and we'll make sure you never miss a beat.
Tweet Share Email Link Republish

An April cyberattack targeting the New York state legislature led to hackers obtaining the sensitive financial information of as many as 710 New Yorkers, according to an incident report obtained by New York Focus through a public records request. It’s unclear whether the legislature is taking any steps to address the security flaws that led to the hackers gaining access.

The attack targeted the Legislative Bill Drafting Commission, an office within the legislative branch that writes up the bills proposed by lawmakers. The hack, which was widely reported on at the time, derailed the bill drafting process and forced the commission’s staff to temporarily revert to an antiquated 1994 computer system as they finalized the state budget, according to Governor Kathy Hochul.

The hackers gaining access to sensitive financial information has not been previously reported.

On the day of the hack, April 17, government officials said they had been told it appeared to be a ransomware attack, a strategy in which hackers block access to certain data until the target pays a sum of money. The hackers, whose identity and methods remain publicly unknown, obtained driver’s license numbers, credit card information, and Social Security numbers, according to the incident report.

Do you work at the Legislative Bill Drafting Commission? We'd love to hear from you about the April cyberattack. Please reach out to sam@nysfocus.com. Your information will not be published without your permission.

The report states that the attack affected 730 individuals, including 710 New York residents. It does not specify how many of those individuals had specific kinds of information compromised.

The hackers may be able to use the information they obtained to attempt identity theft, according to Douglas Jones, emeritus professor of computer science at the University of Iowa.

“This might be enough to open bank accounts, take out loans, and make credit card purchases in the victim’s name,” Jones said.

Legislative leaders have refused to provide any further details about the attack or how they responded to it. The head of the Legislative Bill Drafting Commission, Christopher Higgins, declined to answer questions, instead referring them to Senate Democrats’ communications director, Michael Murphy, who did not respond to multiple requests for comment. Assembly Speaker Carl Heastie’s spokesperson Michael Whyland also did not respond to requests.

When confidential data is hacked, state entities are legally required to inform the Office of Information Technology Services, the state agency responsible for cybersecurity, which is then required to conduct an investigation. But while ITS helped get the computer system back online, there is no indication that the legislature communicated news of the stolen financial data, and the agency has not conducted an investigation into the incident.

“Once the response efforts were completed, the attack contained, and the Budget was successfully delivered, we considered our job to be done,” said Scott Reif, who heads communications for ITS.

“We have not been subsequently informed by the LBDC that specific legal requirements had been met that would trigger additional actions by ITS or any other Executive agencies,” he added.

In April, Hochul promised that her administration would investigate the attack and share the results with the public. That hasn’t happened, possibly because she may not have the authority to conduct an investigation without the legislature’s invitation.

“I have one of the top cybersecurity teams in the entire country. I knew that was a priority. No one will do it better than we do in trying to get to the bottom of this attack,” Hochul said during an interview on WNYC’s The Brian Lehrer Show. “We’ll let people know what we know when we know it.”

It’s unclear whether the legislature has mounted its own investigation.

As legislative leaders remain silent, key questions about the breach still have no answers.

One is whom the attack affected. Fewer than 500 people work for the Bill Drafting Commission, meaning the scope of the attack, which affected 730 people, extended beyond its staff.

Another is whether the attackers made changes to the text of laws or bills, two security experts said. The incident report said that the hackers obtained other nonfinancial information, but did not specify what.

“Any reasonable cybersecurity office would check that the data has not been tampered with,” said Susan Landau, a computer science professor at Tufts University and an expert on cybersecurity. “A minor change could have big implications.”

State agencies have been hacked several other times in recent years, though there’s no evidence financial information was compromised in those cases, and two of the targeted agencies specifically said at the time that hadn’t happened.

An ornate Senate staircase in New York's Capitol building in Albany

The lack of investigation raises questions about the state’s strategy to prevent cyberattacks, said Albert Fox Cahn, founder and director of the Surveillance Technology Oversight Project, a New York-based digital privacy advocacy group.

“We need to understand how the state is investing to prevent this from happening again,” Cahn said. “If you don’t study what went wrong, you’re going to have a much harder time preventing it.”

Last year, Hochul added $35 million to the state’s cybersecurity budget and released a statewide cybersecurity strategy. But the executive branch doesn’t have the authority to set rules for the legislature.

The hack was likely exacerbated by using out-of-date security practices. The fact that hackers both rendered the bill drafting system unusable and were able to access Social Security numbers and financial information indicates that the same system was being used for bill drafting as for payroll — an obvious no-no, said Jones, the Iowa professor.

“You don’t want a careless staffer to open a work-related email and have it clobber the payroll system,” he said. “This kind of separation has been common for 50 years in the corporate world.”

In addition, if the commission was forced to revert to its 1994 computer system, that suggests that it lacked an updated backup version, Landau said.

The attack should serve as a wake-up call to state government, Cahn said.

“This crippled incredibly important infrastructure, and on top of that, it exposed all this confidential information,” he said. “To me it’s very odd that you’re not seeing an expanded response.”

Sam Mellins is senior reporter at New York Focus, which he has been a part of since launch day. His reporting has also appeared in The San Francisco Chronicle, The Intercept, THE CITY, and The Nation. 
More by Sam Mellins Follow Email
Also filed in New York State
Small School Districts Face Costs of Settling Decades-Old Abuse Claims

Hundreds of Child Victims Act cases have been filed against New York schools, some over accused serial offenders that could leave districts with tens of millions of dollars in liability.

Bianca Fortis
As Utilities Push for Higher Energy Bills, Will New York Fund the Watchdogs Pushing Back?

New York’s consumer advocacy groups struggle to compete with well-funded utilities and corporations. Lawmakers want to level the playing field.

Colin Kinniburgh
Trump Plans to Kill Congestion Pricing. Hochul's Pause Could Let Him.

There are at least three ways a Trump administration could try to stop the transit-funding toll.

Sam Mellins