In 2022, Suffolk County fell victim to a BlackCat ransomware attack, where hackers installed remote-access tools, exfiltrated sensitive files, and encrypted critical systems. The breach crippled core government services for weeks, exposing the personal data of hundreds of thousands of residents, including financial and identification records. The county incurred $25 million in taxpayer-funded recovery costs, covering system restoration, forensic investigations, and operational disruptions. The attack highlighted vulnerabilities in municipal cybersecurity, prompting state-level reviews and reinforcing the need for stricter incident reporting laws, such as New York’s 72-hour disclosure mandate for cyber incidents. The prolonged outage disrupted public services, eroded trust, and demonstrated the high-stakes consequences of ransomware on local governance, aligning with broader trends of escalating attacks on underprepared government entities.
Source: https://www.amny.com/law/ny-municipalities-public-authorities-must-report-cybersecurity-incidents/
TPRM report: https://www.rankiteo.com/company/suffolk-county
"id": "suf514082425",
"linkid": "suffolk-county",
"type": "Ransomware",
"date": "6/2022",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Hundreds of thousands (Suffolk '
'County residents in 2022 '
'attack)',
'industry': 'Government',
'location': 'New York State, USA',
'name': 'New York State Municipalities and Public '
'Authorities (excluding NYC)',
'type': ['Local Government', 'Public Authority']},
{'customers_affected': 'Hundreds of thousands of '
'residents',
'industry': 'Government',
'location': 'Suffolk County, New York, USA',
'name': 'Suffolk County, NY',
'type': 'Local Government'},
{'industry': 'Government',
'location': 'St. Paul, Minnesota, USA',
'name': 'St. Paul, Minnesota',
'type': 'Local Government'},
{'industry': 'Government',
'location': 'Cleveland, Ohio, USA',
'name': 'Cleveland Municipal Court',
'type': 'Judicial Body'},
{'industry': 'Government',
'location': 'Cleveland, Ohio, USA',
'name': 'Cleveland City Hall',
'type': 'Local Government'}],
'customer_advisories': ['Residents of affected municipalities (e.g., Suffolk '
'County) notified of data exposure risks'],
'data_breach': {'data_encryption': 'Yes (ransomware attacks)',
'data_exfiltration': 'Yes (e.g., Suffolk County 2022 attack)',
'number_of_records_exposed': 'Hundreds of thousands (Suffolk '
'County 2022)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (includes PII and financial '
'records)',
'type_of_data_compromised': ['Personal data',
'Financial data',
'Sensitive government files']},
'date_publicly_disclosed': '2024-07-28',
'description': 'A new state law in New York requires municipalities and '
'public authorities (excluding New York City) to report '
'cybersecurity incidents within 72 hours and ransomware '
'payments within 24 hours to the New York State Division of '
'Homeland Security and Emergency Services (DHSES). The law '
'aims to improve the state’s ability to address cyber threats, '
'safeguard critical infrastructure, and combat ransomware. It '
'follows a rise in cyber incidents targeting local '
'governments, including a 2022 BlackCat ransomware attack on '
'Suffolk County that cost $25 million and exposed personal '
'data of hundreds of thousands of residents. The law also '
'mandates annual cybersecurity training for government '
'employees and encourages use of state-provided incident '
'response resources.',
'impact': {'brand_reputation_impact': ['Potential public backlash for ransom '
'payments',
'Loss of trust in government '
'cybersecurity'],
'data_compromised': 'Hundreds of thousands of personal records '
'(Suffolk County 2022 attack)',
'downtime': 'Weeks (e.g., Suffolk County 2022 attack)',
'financial_loss': '$775 million (estimated cumulative loss in NY '
'from 2016–2022)',
'identity_theft_risk': 'High (personal data of residents exposed '
'in Suffolk County attack)',
'operational_impact': ['Disruption of core services',
'System shutdowns',
'Need for National Guard/FBI assistance '
'(e.g., St. Paul, MN)'],
'payment_information_risk': 'High (ransomware targets '
'financial/data systems)',
'revenue_loss': '$25 million (Suffolk County 2022 attack)',
'systems_affected': ['Municipal IT systems',
'Public authority networks',
'Critical infrastructure (potential)']},
'initial_access_broker': {'backdoors_established': 'Yes (Suffolk County 2022: '
'remote-access tools '
'installed)',
'high_value_targets': ['Local government systems',
'Resident PII/financial '
'data']},
'investigation_status': 'Ongoing (state-wide compliance monitoring)',
'lessons_learned': ['Local governments are high-value targets due to vast '
'personal/financial data and limited cybersecurity '
'resources.',
'Ransomware payments fund hostile nation-state actors and '
'should be avoided where possible.',
'State-level coordination (e.g., NY’s DHSES, Ohio’s '
'CyberOhio) improves incident response for '
'under-resourced entities.',
'Proactive measures (training, NIST/CIS standards) are '
'critical to prevention.'],
'motivation': ['Improving State-Wide Cybersecurity Resilience',
'Combating Ransomware',
'Protecting Critical Infrastructure',
'Taxpayer Protection'],
'post_incident_analysis': {'corrective_actions': ['Mandatory 72-hour incident '
'reporting (NY law)',
'State-funded cybersecurity '
'resources (e.g., SLCGP, '
'DHSES team)',
'Annual employee training '
'and data protection '
'standards',
'Post-incident reviews to '
'refine response '
'strategies'],
'root_causes': ['Insufficient cybersecurity '
'funding for local governments',
'Lack of standardized '
'training/incident response '
'protocols',
'Attractiveness of municipal data '
'to ransomware groups (e.g., '
'BlackCat)',
'Delayed or absent reporting in '
'past incidents']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (Suffolk County 2022)',
'ransom_paid': '$25 million (Suffolk County 2022, BlackCat '
'group)',
'ransomware_strain': ['BlackCat (Suffolk County 2022)']},
'recommendations': ['Review and update incident response plans to comply with '
'NY’s 72-hour reporting requirement.',
'Leverage state-provided resources (e.g., DHSES Cyber '
'Incident Response Team, SLCGP funding).',
'Adopt NIST and CIS best practices for cybersecurity.',
'Conduct annual cybersecurity training for all government '
'employees.',
'Engage legal counsel to review ransomware payment '
'rationales before reporting.',
'Pre-populate incident log templates with required '
'disclosure fields.'],
'references': [{'source': 'New York State Division of Homeland Security and '
'Emergency Services (DHSES)'},
{'source': 'Governor Kathy Hochul’s Statement on Cybersecurity '
'Law'},
{'source': '2023 NY State Comptroller Report on Cybersecurity '
'Incidents'},
{'source': 'U.S. National Resilience Strategy (March 2024)'},
{'source': 'DHS State and Local Cybersecurity Grant Program '
'(SLCGP)'},
{'source': 'Harris Beach Murtha – Attorney Alan M. Winchester '
'(Cybersecurity Practice)'}],
'regulatory_compliance': {'regulatory_notifications': ['Mandatory reporting '
'to DHSES within 72 '
'hours (incidents) / '
'24 hours (ransomware '
'payments)',
'Exemption from FOIL '
'disclosure for '
'reported data']},
'response': {'communication_strategy': ['Public disclosure of incidents (as '
'required by law)',
'Stakeholder advisories for affected '
'residents'],
'incident_response_plan_activated': ['State-mandated reporting '
'within 72 hours',
'Ransomware payment '
'reporting within 24 hours',
'Use of DHSES Cyber '
'Incident Response Team'],
'law_enforcement_notified': ['FBI (in cases like St. Paul)',
'DHSES (mandatory for NY entities)'],
'recovery_measures': ['State-funded support via SLCGP',
'Access to Ohio Cyber Range Institute (for '
'Ohio entities)'],
'remediation_measures': ['Annual cybersecurity training for '
'employees',
'Data protection standards for state '
'systems',
'Post-incident reviews'],
'third_party_assistance': ['FBI (e.g., St. Paul attack)',
'National Guard (e.g., St. Paul '
'attack)',
'State-provided incident response '
'resources']},
'stakeholder_advisories': ['Municipalities must report incidents via DHSES '
'portal',
'Legal review recommended for ransomware '
'disclosures'],
'title': 'New York State Mandates Cybersecurity Incident Reporting for '
'Municipalities and Public Authorities',
'type': ['Regulatory Policy',
'Cybersecurity Incident Reporting Mandate',
'Ransomware Response Protocol']}