Cyberlands.io - API Penetration Testing

Top 10 Cybersecurity Breaches in New York

Learn about the state of cybersecurity in New York and the 10 biggest breaches in the city.
Along with the adoption of the Cybersecurity and Data Breach Law in 2019, New York's companies that store any private information about the NY residents and entities have to adopt the data security safeguards that fully comply with the provisions of the SHIELD Act within 240 days. The core idea of this law is to extend the reach of New York's breach notification and cybersecurity requirements to protect the personal data of the NY residents and critical data of the New York entities.

That's only one of the tons of different cybersecurity precautions taken by the NY governments over the last few years. And, since the world's going digital today and is expected to utilize even more technical solutions and innovative optimizations in the future, there's never been a better time for improving digital security. As for 2019, New York's authorities have invested around $55.7 million for cybersecurity only. Needless to say, after the pandemic outbreak, with millions of NY residents and companies switched to remote work, the investments will only increase.

However, it's not enough to simply invest in cybersecurity. It's even more important to regularly test the system for vulnerabilities and look for the optimization opportunities you can start implementing today. One of these is to learn from the most notable unfamous cybersecurity breaches of different organizations within and out of NY city!
#1 The Computer System of Metropolitan Transportation Authority Breached in April 2021
One of the most valuable sources of cybersecurity attacks is the detailed overview of the most recent security breaches that occurred within a year. For instance, the nation's largest mass transit agency in New York has been attacked by hackers in April 2021. The intrusion was uncovered when cybercrimes exploited specific security vulnerabilities in Pulse Connect Secure, a VPN software used for reaching the internal network remotely.

According to the latest information, the hackers have attacked 3 of 18 systems, after what they've been resisted by the security department of Metropolitan Transportation Authority. The leading security company Mandiant, after the detailed operational system inspection has claimed that no private information of the employees and customers was breached, the firm also hasn't found any signs of significant system changes or data loss.

As a precautionary measure, the MTA security department announced they've forced a password change for over 3,700 employees and switched to the other VPNs to improve the digital security.
#2 NYC Law Department's System Hacked in June 2021
According to the USA's leading security experts, the tendency to attack critical infrastructure is one of the emerging problems that's growing around the world. The City Hall reported about the computer system breach at New York City's Law Department – the 1,000-lawyer agency that represents the city in court. According to the spokesperson Laura Feyer, the hackers have gained "unauthorized access" to the system and launched an investigation. They've utilized ransomware tools to break into government and private computer networks.

To abort an attack, the city officials have disconnected the Law Department computers from the internal New York's largest city network. As a result of the internal system breach, none of the lawyers was able to log on to the computer system!
#3 Manufacturer of Homeware OXO International Disclosed a Breach
The New York-based manufacturer of homeware, office supplies, and kitchen utensils has reported about the data breach that occurred between June 2017-October 2018. The security specialists reported the incident "may have exposed some of [customers'] personal information", which mostly refers to the users that entered the oxo.com domain during this period.

The reason for the OXO data breach was the "unauthorized code" entered on the firm's website by hackers. However, apart from the "malicious" nature of this code, they didn't uncover any other details regarding the possible sources and outcomes of this malware.
#4 World's Famous News Source New York Times Has Been Attacked
Another great target for cybercriminals is credible news sources. In April 2017, the spokesperson of NYT reported about their website's crash because of the "malicious external attack."

Though earlier the similar issues occurred because of the internal errors on the site, after the detailed expectation of this incident, the computer security experts have noticed the Times' site performance briefly pointed to a domain of the Syrian Electronic Army. That unfamous group has earlier hacked such famous media companies as BBC, Washington Post, and, the most successful attack, the Associated Press's Twitter account. The last one, in particular, has claimed that the USA's President Obama had been injured, which resulted in a huge stir on the stock market.
#5 The Ongoing Cyber Attack Affected the System of New York Hospital
In November 2020, the hospital system's security department detected an attempt to install malware on a certain machine of a computer network. According to the official sources, none of the personal data was compromised, but the hospitality officials didn't uncover the details of this hacking incident.

SUNY Canton's cybersecurity professor Minhua Wang considers the quick reaction to the computer virus intrusion may have prevented a serious data breach, as well as saved the healthcare units from losing control under the internal system.

The type of virus that affected a part of a computer system, called Ryuk, was able to blackmail victims to submit costs in exchange for the system restoration. Due to the attack having impacted the workflow of several medical institutions at a time, experts tend to assume this wasn't simple phishing, but a coordinated attack on St. Lawrence Health System.
#6 Data Breach at New York University Could Have Affected Around 47,000 Individuals
The Research Foundation for the State University of New York, also known as SUNY, in August 2021 reported unauthorized access to its networks. According to the official information of the investigation, the hacking incident happened earlier this year, on July 14, 2021.

The intrusion occurred because of unauthorized activity between May 22 and July 9 of the current year. As a result of the system security breach, an unauthorized party obtained files stored on Research Foundation's file servers.

As a precaution for further attacks, the Research Foundation has announced about consistently taking the necessary steps to enhance the security of their network. In particular, the organization has been reassured about involving the eligible individuals for a complimentary, one-year credit monitoring and installing the data theft protection services.
#7 New York Airport Servers Has Discovered the Attack on Christmas
In January 2020, the Albany County Airport Authority announced they've recently been attacked by ransomware over Christmas. According to the officials, the cyberattack has been uncovered after the Schenectady-based LogicalNet reported their management services network had been breached.

As a result of this attack, the virus migrated to the authority's servers and backup servers, encrypting all the internal files stored at the airport authority, mostly including the administrative files like budget spreadsheets. The airport officials said that no personal or financial data of their clients was leaked, nor did it impact the overall workflow of the Albany International Airport, or Transportation Security Administration, or the airline's internal computer system. However, the airport authority's insurance carrier authorized payment of the bitcoin ransom in exchange for an encryption key to restore its data.
#8 $42 Million or Leak Dirt on Trump: Ransomware Gang Attacked NY Law Firm
In May 2020, the New York-based law firm confirmed the cyberattack operated by the ransomware of the REvil (Sodinokibi) group, which was threatening to leak tons of private files on the company's celebrity clients. To prevent this, the company was pressured to pay a whopping $42 million.

According to the officials, the gang stole a bunch of private files stored at the law firm's internal network before encrypting them. As proof, their operators have also published a message to the GSMS staff with screenshots of the files pertaining to the law firm's famous clients including Lady Gaga, Madonna, Nicki Minaj, U2, Outkast, Jessica Simpson, Facebook, and others.

The hackers offered to pay #365,000 of the $21 million asked, but after a certain period of time, they doubled the costs required to $42 million and leaked a 2.4 GB archive containing different legal documents of Lady Gaga to prove their serious commitments.
#9 Apex Laboratory Became the Victim of Ransomware Attack
According to the official source of Apex, the company announced that on July 25, 2020, they've been attacked by ransomware, which resulted in the loss of access and the system being encrypted. Further investigations of this access have uncovered the massive data leak that contained personal and health information for some patients. The data might have been breached and stolen from its servers between July 21 and July 25, 2020.

While taking the necessary precautions to secure the system vulnerabilities used by hackers, Apex was also notifying the affected clients via written mail and said it also contacted law enforcement. Due to the previous information published, the data stolen could include the names, dates of birth, phone numbers, Social Security numbers, and test results of their patients.
#10 SSNs Exposed During the Hack of New York Boarding School
Emma Willard School has reported about dealing with a specific cyberattack that occurred this summer, According to school Head Jennifer Rao, during the attack cybercriminals owned the personal financial data of some members of the Emma Willard community, as well as the employees' Social Security numbers.

After the accident, the school officials notified law enforcement and invited external cybersecurity experts to confirm what data was accessed and how to prevent further attacks.
Conclusion
As you can see, there are lots of different cybersecurity breach cases you should certainly consider to strengthen the security system of any organization, company, or entity when working with the NY private data. But, being aware of the most typical tactics cybercriminals use, it becomes more clear of where to look for the system vulnerabilities, generate some effective ways of their removal and make up a concrete guide of how to react if the data breach happened.

So, if you're ready to start improving the security of your business today, feel free to start with the detailed analysis of the cyberattacks mentioned above! With this information in mind, you'll surely create a solid and reliable security development strategy. In case you need advice from professionals, the Cyberlands team will be glad to assist you!
Cyberlands.io Team