A data breach in New York City’s Housing Connect lottery program exposed sensitive personal information of 38,000 applicants, including names, unverified incomes, phone numbers, emails, and—though mostly redacted—52 unredacted Social Security numbers and 592 birthdates. The breach occurred due to a system misconfiguration in a portal managed by Reside New York, a city-approved vendor, and was traced to a third-party contractor (LogicFold), which mistakenly made applicant data searchable online between May 2 and July 2, 2024. While no confirmed cases of identity theft or fraud were reported, the exposed data included financial and personally identifiable information (PII), raising risks of potential misuse. Reside New York removed the exposed data after being alerted by CBS News, implemented web/dark web monitoring (finding no leaked traces), and offered credit monitoring to affected individuals. The city’s Housing Preservation and Development Department (HPD) deemed the incident unacceptable and placed Reside under a corrective action plan to prevent recurrence.
Source: https://www.cbsnews.com/newyork/news/nyc-housing-lottery-data-breach/
TPRM report: https://www.rankiteo.com/company/residenewyork
"id": "res5162051091925",
"linkid": "residenewyork",
"type": "Breach",
"date": "7/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '38,000 applicants (data '
'possibly viewed); 480,000 '
'applications in portal',
'industry': 'housing/public services',
'location': 'New York City, NY, USA',
'name': 'New York City Housing Preservation and '
'Development (HPD)',
'type': 'government agency'},
{'industry': 'housing services',
'location': 'New York, NY, USA',
'name': 'Reside New York',
'type': 'private company (third-party vendor)'},
{'industry': 'data processing/tenant vetting',
'name': 'LogicFold',
'type': 'private company (subcontractor)'}],
'attack_vector': 'system misconfiguration in a public-facing portal',
'customer_advisories': ['311 support line',
'direct notifications to affected applicants',
'credit monitoring offers'],
'data_breach': {'data_encryption': 'partial (most SSNs redacted)',
'file_types_exposed': ['application forms'],
'number_of_records_exposed': '38,000 (possibly viewed); '
'480,000 applications in portal',
'personally_identifiable_information': ['names',
'addresses',
'phone numbers',
'emails',
'incomes',
'Social Security '
'numbers (52 exposed)',
'birthdates (592 '
'accessed)'],
'sensitivity_of_data': 'high (includes SSNs, birthdates, '
'incomes, addresses)',
'type_of_data_compromised': ['PII (Personally Identifiable '
'Information)',
'application details']},
'date_detected': '2023-07',
'date_publicly_disclosed': '2023-07',
'date_resolved': '2023-07-02',
'description': "A data breach in New York City's Housing Connect lottery "
'program exposed personal information of thousands of '
'applicants, including names, addresses, incomes, phone '
'numbers, emails, and in some cases, Social Security numbers '
"and birthdates. The breach was caused by a 'system "
"misconfiguration' in a portal managed by Reside New York, a "
'third-party vendor, and its subcontractor, LogicFold. The '
'portal was accessible from May 2 to July 2, 2023, with '
'potential exposure of data for about 38,000 applicants, '
'though no known cases of identity theft or fraud have been '
'reported.',
'impact': {'brand_reputation_impact': 'negative publicity; loss of trust in '
'Housing Connect program and Reside New '
'York',
'customer_complaints': 'concerns raised by applicants and NYC '
'Council Housing Committee Chair Pierina '
'Sanchez',
'data_compromised': ['names',
'addresses',
'incomes',
'phone numbers',
'emails',
'Social Security numbers (52 exposed)',
'birthdates (592 accessed)'],
'identity_theft_risk': 'low (no known reports of identity theft or '
'fraud)',
'operational_impact': 'corrective action plan imposed on Reside '
'New York; portal taken offline and fixed',
'systems_affected': ['Housing Connect lottery portal']},
'investigation_status': 'ongoing (corrective actions in progress)',
'lessons_learned': 'Importance of rigorous access controls for public-facing '
'portals; need for third-party vendor oversight and '
'accountability; proactive monitoring for data exposure.',
'post_incident_analysis': {'corrective_actions': ['portal fixes',
'corrective action plan for '
'Reside New York',
'enhanced monitoring',
'credit monitoring for '
'affected individuals'],
'root_causes': ['system misconfiguration in '
'third-party portal',
'inadequate access controls',
'subcontractor (LogicFold) error']},
'recommendations': ['Implement stricter access controls and regular audits '
'for third-party portals',
'Enhance vendor management policies, including '
'subcontractor oversight',
'Conduct periodic security assessments for systems '
'handling sensitive data',
'Expand dark web monitoring for exposed data',
'Provide transparent communication and support for '
'affected individuals'],
'references': [{'date_accessed': '2023-07', 'source': 'CBS News New York'},
{'date_accessed': '2023-07',
'source': 'New York City Housing Preservation and Development '
'(HPD) response letter'},
{'date_accessed': '2023-07',
'source': 'Reside New York public statements (Martin Joseph, '
'CEO)'}],
'response': {'communication_strategy': ['public statements by HPD and Reside '
'New York',
'direct notifications to affected '
'applicants',
'media interviews (CBS News New '
'York)'],
'containment_measures': ['portal taken offline immediately after '
'notification',
'misconfiguration fixed'],
'enhanced_monitoring': ['web and dark web monitoring for exposed '
'data'],
'incident_response_plan_activated': True,
'recovery_measures': ['portal secured and restored',
'applicants notified',
'311/HPD support line for affected '
'individuals'],
'remediation_measures': ['corrective action plan for Reside New '
'York',
'credit monitoring offered to affected '
'applicants',
'deeper analysis to prevent recurrence'],
'third_party_assistance': ['web/dark web monitoring service '
'(unnamed)']},
'stakeholder_advisories': ['NYC Council Housing Committee Chair Pierina '
'Sanchez',
'HPD Acting Commissioner Ahmed Tigani'],
'title': 'Data Breach in NYC Affordable Housing Lottery Program Exposes '
'Applicant Information',
'type': ['data breach', 'misconfiguration'],
'vulnerability_exploited': 'improper access controls / misconfigured portal'}