Skip to content ↓ | Skip to navigation ↓

Officials revealed that malicious actors had succeeded in infiltrating the computer network serving New York’s state government.

According to the Wall Street Journal (WSJ), officials revealed on April 13 that New York’s Office of Information Technology had discovered the security incident in late-January 2020. Its analysis unveiled that those individuals responsible for the attack had constructed tunnels into some of New York’s servers that the State used for relaying encrypted data. That information ranged from motor vehicle records to payroll information for the 250,000 employees employed in New York’s state agencies and public universities.

In response to the findings discussed above, New York brought in help to determine the extent of the security incident. Richard Azzopardi, senior advisor to NY Governor Andrew Cuomo, revealed that the subsequent investigatory effort uncovered “no evidence that personal data of any New York resident, employee, or any other individuals were compromised or have been taken from our network.”

The State is currently working with the Federal Bureau of Investigations (FBI) to pinpoint the identities of those responsible for the breach. Two people familiar with that collaboration told WSJ that a foreign actor was likely responsible for the security incident.

In the meantime, state officials decided to augment government systems’ existing digital security measures. They did so by installing additional digital security software and resetting passwords at agencies affected by the breach. Among them was the State’s comptroller office, which confirmed to WSJ that it had implemented certain measures to harden its digital security posture.

No statement regarding the breach was available on New York’s Office of Information Technology website at the time of writing.

News of this attack comes less than a year after New York State enacted the Stop Hacks and Improve Electronic Data Security (SHIELD) Act as a means to safeguard its residents against unauthorized data access. More can be found about this legislation here.