The Business Council of New York State (BCNYS), the state’s largest employer association with over 3,000 member organizations, suffered a data breach in February 2024. Attackers infiltrated its network between **February 24–25**, exfiltrating sensitive personal, financial, and health data of **47,329 individuals**, including: - **Full names, Social Security numbers, dates of birth, and state IDs** - **Financial details** (account/routing numbers, payment card data, PINs, taxpayer IDs, electronic signatures) - **Health records** (medical diagnoses, prescriptions, treatments, insurance info, provider names) The breach was detected **six months later (August 4)**, prompting an investigation with external cybersecurity experts. While no evidence of fraud or identity theft has surfaced yet, BCNYS is offering **free credit monitoring** to affected individuals and advising vigilance against potential misuse. The incident exposes critical vulnerabilities in BCNYS’s cybersecurity posture, risking long-term reputational harm and regulatory scrutiny.
TPRM report: https://www.rankiteo.com/company/the-business-council-of-new-york-state-inc.
"id": "the532083025",
"linkid": "the-business-council-of-new-york-state-inc.",
"type": "Breach",
"date": "2/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '47,329 individuals',
'industry': 'Business Advocacy',
'location': 'New York, USA',
'name': 'Business Council of New York State (BCNYS)',
'size': 'Represents over 3,000 member organizations '
'employing over 1.2 million New Yorkers',
'type': 'Non-profit employer association'}],
'customer_advisories': ['Breach notification letters with guidance on credit '
'monitoring and fraud prevention',
'Encouragement to monitor financial and credit '
'reports'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '47,329',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs, financial '
'account details, payment card info, '
'and protected health information)',
'type_of_data_compromised': ['Personal Information',
'Financial Information',
'Health Information']},
'date_detected': '2023-08-04',
'description': 'The Business Council of New York State (BCNYS) revealed that '
'attackers breached its network in February 2023, stealing the '
'personal, financial, and health information of over 47,000 '
'individuals. The breach was detected on August 4, 2023, after '
'the threat actors accessed internal systems between February '
'24 and February 25. The stolen data includes full names, '
'Social Security numbers, dates of birth, state identification '
'numbers, financial account details, payment card information, '
'taxpayer identification numbers, electronic signatures, and '
'health data (e.g., medical diagnoses, prescriptions, '
'treatment info, and health insurance details). BCNYS is '
'offering free credit monitoring to affected individuals and '
'has engaged cybersecurity professionals to investigate and '
'secure the environment.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive personal, '
'financial, and health data of 47,329 '
'individuals',
'data_compromised': ['Full names',
'Social Security numbers',
'Dates of birth',
'State identification numbers',
'Financial institution names',
'Financial account and routing numbers',
'Payment card numbers',
'Payment card access PINs',
'Payment card expiration dates',
'Taxpayer identification numbers',
'Electronic signature information',
'Medical provider names',
'Medical diagnosis/condition information',
'Prescription information',
'Medical treatment/procedure information',
'Health insurance information'],
'identity_theft_risk': 'High (Social Security numbers, financial, '
'and health data exposed)',
'payment_information_risk': 'High (payment card numbers, PINs, and '
'expiration dates exposed)',
'systems_affected': ['Internal systems']},
'initial_access_broker': {'high_value_targets': ['Personal, financial, and '
'health data of 47,329 '
'individuals']},
'investigation_status': 'Ongoing (as of disclosure; no evidence of fraud or '
'identity theft reported yet)',
'post_incident_analysis': {'corrective_actions': ['Engaged cybersecurity '
'professionals to secure '
'the environment']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Monitor account statements for identity theft attempts',
'Review free credit reports for suspicious activity',
'Engage cybersecurity professionals for incident '
'investigation and remediation'],
'references': [{'source': 'BleepingComputer'},
{'source': 'Maine Attorney General Breach Filing'}],
'regulatory_compliance': {'regulatory_notifications': ['Maine Attorney '
'General (as part of '
'breach disclosure)']},
'response': {'communication_strategy': ['Breach notification letters mailed '
'to affected individuals',
'Public disclosure via Maine attorney '
'general filing',
'Offer of free credit monitoring for '
'exposed Social Security numbers'],
'containment_measures': 'Immediate containment upon detection',
'incident_response_plan_activated': True,
'third_party_assistance': ['Leading outside cybersecurity '
'professionals']},
'title': 'Business Council of New York State (BCNYS) Data Breach',
'type': ['Data Breach', 'Unauthorized Access']}