By T. Jayani, JadeTimes News

In April, a cyberattack targeted the New York state legislature, compromising the sensitive financial data of up to 710 New Yorkers, according to an incident report obtained by New York Focus through a public records request. The legislature's response to the security flaws that allowed the breach remains unclear.

The attack focused on the Legislative Bill Drafting Commission, the office responsible for drafting bills proposed by lawmakers. The hack, widely reported at the time, disrupted the bill drafting process and forced staff to temporarily use an outdated 1994 computer system while finalizing the state budget, as noted by Governor Kathy Hochul. However, it was not previously known that the hackers accessed sensitive financial information.

On April 17, government officials indicated that the attack appeared to be a ransomware incident, where hackers typically demand payment in exchange for restoring access to data. The unidentified hackers obtained driver’s license numbers, credit card details, and Social Security numbers, according to the incident report.

The report revealed that 730 individuals were affected, including 710 New York residents, though it did not specify the types of information compromised for each individual. Douglas Jones, emeritus professor of computer science at the University of Iowa, warned that the stolen data could be used for identity theft, enabling hackers to open bank accounts, take out loans, or make credit card purchases in victims’ names.

Legislative leaders have declined to provide further details on the attack or their response. Christopher Higgins, head of the Legislative Bill Drafting Commission, referred inquiries to Senate Democrats’ communications director, Michael Murphy, who did not respond to multiple requests for comment. Assembly Speaker Carl Heastie’s spokesperson, Michael Whyland, also did not comment.

When state entities experience a data breach, they are legally required to inform the Office of Information Technology Services (ITS), the state agency overseeing cybersecurity, which must then conduct an investigation. Although ITS assisted in restoring the computer system, there is no indication that the legislature reported the stolen financial data, nor has the agency conducted an investigation.

Scott Reif, head of communications for ITS, stated that once the system was restored, ITS considered its role complete. He added that the Legislative Bill Drafting Commission did not meet specific legal requirements that would have triggered further action by ITS or other agencies.

Governor Hochul had promised to investigate the attack and share the results with the public, but it is unclear whether she has the authority to conduct such an investigation without the legislature’s cooperation. During an interview on WNYC’s The Brian Lehrer Show, Hochul emphasized her administration's strong cybersecurity team and pledged to inform the public as more information becomes available.

Key questions about the breach remain unanswered, including who was affected by the attack, as fewer than 500 people work for the Bill Drafting Commission, yet 730 individuals were impacted. Additionally, cybersecurity experts have raised concerns about whether the hackers altered the text of laws or bills. The incident report mentioned that other nonfinancial information was obtained but did not specify what that was.

Previous hacks on state agencies did not result in compromised financial data, and there is no evidence that such data was accessed in those cases. However, the lack of investigation into the recent attack raises concerns about the state's approach to preventing cyberattacks. Albert Fox Cahn, founder of the Surveillance Technology Oversight Project, emphasized the need to understand the state’s cybersecurity investments to prevent future incidents.

Last year, Governor Hochul increased the state’s cybersecurity budget by $35 million and introduced a statewide cybersecurity strategy, but the executive branch lacks the authority to impose cybersecurity rules on the legislature. Experts suggest that the hack was exacerbated by outdated security practices, including the apparent use of the same system for bill drafting and payroll, as well as a lack of an updated backup system.

Cahn urged state government to treat the attack as a wake up call, noting the critical infrastructure that was crippled and the confidential information exposed. He expressed concern over the lack of an expanded response to the incident.