New York
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- New York’s Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches entail the acquisition of data without relevant authorization. The compromised data might damage the information's security, integrity, and confidentiality. When determining if information has been accessed or is believed to have been accessed, entities can consider indications it was viewed or altered by an individual without the appropriate authorization. The most common data breaches in New York are malware attacks, phishing, ransomware, and identity theft. As of 2017, data breaches had exposed the personal records of 9.2 million New Yorkers. This included Social Security numbers, financial account information, hacking, and malware.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
New York's Biggest Data Breaches
New York Law Department
In June 2021, New York's law department database was hacked, allowing access to cybercriminals. It also forced officials to take at least 1,000 legal personnel offline. The possible motives of the hack, though, were unknown, but officials believed it was not a ransomware scenario. Fortunately, no data was compromised in the cyberattack. At the time, New York City Mayor Bill Deblasio called the breach an emerging situation. He also indicated that they were still tracking down the perpetrators of the crime.
Metropolitan Transportation Authority (M.T.A.)
Metropolitan Transportation Authority indicated it fell victim to a data breach in April 2021 when a subway system computer was hacked. The transit authority claimed it was alerted by the FBI that it was among several agencies that were targeted in a campaign. In so doing, the attack affected three of the 18 systems within the MTA. The chief technology officer said a forensic audit revealed no evidence that operational systems were affected. Similarly, no client or employee information was breached, and there were no changes to vital systems. Congressman Andrew R. Garbarino released a statement demanding answers from the MTA. He indicated it was personal to his constituents, considering millions of constituents use the MTA daily, and they deserved to know if their personal information was at risk.
New York University (NYU)
In 2021, Marymount Manhattan College suffered a data breach incident that impacted an estimated 100,000 New Yorkers. These were current and prospective students of MMC, including faculty members. Though the school did not necessarily clarify the extent of the damage, it engaged cybersecurity professionals to assist in investigating. The Office of the Attorney General in New York headed the investigation and found that the college failed to secure its networks appropriately. They also did not update their policies to combat security concerns. In so doing, the University invested $3.5 million towards improving data encryption and security as a mitigation measure.
JP Morgan & Chase
JP Morgan and Chase experienced a significant data breach in 2014, which went unnoticed for two months. In total, the attack affected more than 75 million households. The technological environment was first compromised when attackers gained access to the firm's servers, which gave the attackers access to consumer information. In a filing to the SEC, JP Morgan showed that the information compromised included names, phone numbers, and email addresses. It did not find any evidence that passwords, Social Security numbers, and account numbers were part of the data breach.
New York Times
In the cyber-attack incident, the New York Times website was rendered offline for a period. It was also found that 53 of the organization's employees were victims of a phishing attack. This breach was believed to be part of a campaign that targeted reporters of other outlets and the democratic Party. New York Times spokeswoman Eileen Murphy indicated that the News site was taking different approaches, including working with law enforcement and external investigators to resolve the problem.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
Company reporting is covered under New York state laws and given regulations. Businesses in the state that have experienced a security breach have to notify their clients concerning the breach. Notification may be done by email, telephone, letter, or via the information on the organization's website. They must also notify particular state offices like the New York State Office of Cyber Security and Critical Infrastructure Coordination, the New York State Attorney General, and the Consumer Protection Board. If the breach has affected more than 5,000 residents in the state, the business also has to notify consumer reporting agencies.
The notices issued to residents have to include descriptions of what was compromised along with contact data. Businesses must use the New York State Security Breach reporting form to report it to the relevant state offices. The form will include the names of the businesses as well as addresses. It will also have the number of people affected and the date of the breach.
Should the data breach concern healthcare facilities, they must comply with the Health Insurance Portability and Accountability Act of 1996. Such a breach also entails a breach notification rule, which requires notification following a breach. Businesses must notify the secretary of the Department of Health and Human Services, affected personnel, and the media if more than 500 residents are affected.
Laws
The New York State Information Security Breach and Notification Act defines private information as knowledge of the following:
- Social Security number
- Account number, credit card information, debit card numbers, or access to their financial information
- Biometric information
The SHIELD (Stop Hacks and Improve Data Security) Act, which stops hacks and improves data security, was enacted in 2019. It amended the initial Information Security Breach and Notification Act. This law required reasonable security for private data by utilizing standards according to the business's size. The SHIELD Act provided a flexible standard for small businesses, indicating that safeguards aligned with small businesses should be taken.
Resources
- INFORMATION EXPOSED 2017 Data Breaches in New York State
- U.S. Charges Hacker with Illegally Accessing New York Times Computer Network
- Congressman Garbarino's Statement on MTA Cyberattack
- Attorney General James Reaches Agreement with Marymount Manhattan College to Invest $3.5 Million to Protect Students' Online Data
- Data Breach Reporting Form and Compliance Guidance for Businesses
- Health Insurance Portability and Accountability Act (HIPAA)
- Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
- New York State: What You Need to Know About Security Breaches