The Business Council of New York State (BCNYS), a prominent association representing businesses and professional organizations across New York, suffered a cyberattack in late February 2025, which remained undetected until August. The breach resulted in the theft of highly sensitive personal, financial, and healthcare data of **47,329 individuals**. Compromised information included full names, Social Security numbers (SSNs), dates of birth, state ID numbers, financial account details (routing numbers, payment card numbers, PINs, expiration dates), taxpayer IDs, and electronic signatures. Additionally, extensive healthcare data was stolen, covering medical diagnoses, treatment records, prescriptions, provider names, and insurance information. While no evidence of misuse (e.g., identity theft, phishing, or fraud) has been observed yet, the stolen data poses severe risks, including unauthorized financial transactions, fraudulent tax filings, and medical identity theft. BCNYS has offered free identity theft protection and credit monitoring to victims, advising them to implement fraud alerts, credit freezes, and multifactor authentication (MFA) across accounts. The delayed discovery of the breach (nearly **6 months**) exacerbates the potential for long-term exploitation of the exposed data.
TPRM report: https://www.rankiteo.com/company/the-business-council-of-new-york-state-inc.
"id": "the641082025",
"linkid": "the-business-council-of-new-york-state-inc.",
"type": "Cyber Attack",
"date": "2/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 47329,
'industry': 'business advocacy',
'location': 'New York, USA',
'name': 'The Business Council of New York State '
'(BCNYS)',
'type': 'non-profit association'}],
'customer_advisories': 'Public disclosure includes guidance on fraud alerts, '
'credit freezes, MFA, and monitoring financial/medical '
'records for suspicious activity.',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 47329,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (includes SSN, financial, '
'healthcare, and taxpayer data)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'financial information',
'payment card information',
'healthcare information',
'taxpayer information',
'electronic signatures']},
'date_detected': '2025-08-01T00:00:00Z',
'date_publicly_disclosed': '2025-08-01T00:00:00Z',
'description': 'The Business Council of New York State (BCNYS) suffered a '
'cyberattack in February 2025, discovered in August 2025, '
'resulting in the theft of sensitive personal, payment, and '
'healthcare information of 47,329 individuals. The stolen data '
'includes full names, Social Security numbers (SSN), dates of '
'birth, state identification numbers, financial account '
'details, payment card information, taxpayer identification '
'numbers, electronic signatures, and extensive healthcare '
'data. There is no evidence yet of the stolen data being '
'abused in identity theft, phishing, or other cybercrime, but '
'victims are advised to take precautionary measures such as '
'placing fraud alerts, monitoring financial statements, and '
'enabling multifactor authentication.',
'impact': {'brand_reputation_impact': 'potential reputational damage due to '
'exposure of sensitive personal and '
'healthcare data',
'data_compromised': ['full names',
'Social Security numbers (SSN)',
'dates of birth',
'state identification numbers',
'financial institution names',
'financial account numbers',
'routing numbers',
'payment card numbers',
'PINs',
'payment card expiration dates',
'taxpayer identification numbers',
'electronic signatures',
'names of medical providers',
'medical diagnosis and conditions',
'prescription information',
'medical treatment and procedures data',
'healthcare insurance information'],
'identity_theft_risk': 'high (stolen data includes SSN, financial, '
'and healthcare information)',
'payment_information_risk': 'high (payment card numbers, PINs, and '
'financial account details exposed)'},
'initial_access_broker': {'high_value_targets': ['personal data',
'financial data',
'healthcare data']},
'investigation_status': 'ongoing (as of August 2025)',
'ransomware': {'data_exfiltration': True},
'recommendations': ['Place a fraud alert or credit freeze with major credit '
'bureaus',
'Monitor bank and credit card statements daily',
'Sign up for identity theft protection or credit '
'monitoring (offered free by BCNYS)',
'Change passwords and enable multifactor authentication '
'(MFA) on all accounts',
'Notify banks and insurers of potential fraud',
'Request an IRS Identity Protection PIN to block fake tax '
'filings',
'Review insurance Explanation of Benefits (EOB) '
'statements for suspicious medical activity',
'Contact healthcare providers to flag any unauthorized '
'medical services'],
'references': [{'source': 'BleepingComputer'},
{'source': 'Office of the Maine Attorney General (breach '
'report)'}],
'regulatory_compliance': {'regulatory_notifications': ['Office of the Maine '
'Attorney General']},
'response': {'communication_strategy': ['public disclosure via Maine Attorney '
'General report',
'advisories to victims on protective '
'measures'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['investigation launched',
'authorities notified',
'free identity theft protection and '
'credit monitoring offered to victims']},
'stakeholder_advisories': 'Victims advised to take precautionary measures '
'against identity theft and fraud; BCNYS offers '
'free identity theft protection and credit '
'monitoring.',
'threat_actor': 'unidentified cybercriminals',
'title': 'Cyberattack on The Business Council of New York State (BCNYS)',
'type': ['data breach', 'cyberattack']}