New York City Public Advocate notifies web site submitters of security breach, but did they downplay its scope?
It felt like an exercise in futility, but on Christmas Day, I started making phone calls to alert the NYC Office of the Public Advocate that their database had been hacked and personal and sensitive information of those seeking assistance had been exposed.
No one ever called me back, but having provided specific details to the police officer I spoke to about what I had seen in the data dump, I was glad to note that the data dump was removed from the web.
Now I see that the agency has also posted a public notice, linked from its home page. The notice, however, appears to downplay the amount of personal information that was acquired and dumped on the web:
During the Christmas holiday weekend, the New York City Public Advocate’s website was the target of a sophisticated cyber-attack.
Email correspondence and our internal contact management system were not accessed or exposed in any way. Information that website users submitted through forms on the website may have been accessed. Most of these submissions only include basic information such as a name and email address and no other personal information.
The Public Advocate’s Office has contacted all people whose information may have been compromised during the attack and advised these individuals to notify us if they receive any suspicious communications such as SPAM or unsolicited emails asking for personal information with reference to the Public Advocate’s Office. Additionally, anyone with questions or concerns can contact the Public Advocate’s Office at 212-669-7250.
We take the security of your information as the highest priority, and our office employs a website management system and protocols that emphasize security and privacy protection. We are currently working with various law enforcement agencies to further investigate the matter and we will assist the investigation in any way we can.
What information was accessed by the hackers?
Following the security breach, the hackers accessed the raw data that powers the Public Advocate’s website. This includes webpage content, including embedded user comments and information submitted through forms on the website. Most of these user comments and submissions only include basic information such as a name and email address and no other personal information. The underlying website server was not breached during the attack. In addition, email correspondence and our internal contact management system were not accessed or exposed in any way.
What steps have been taken in response to the website security breach?
Upon learning of the website security breach, the Public Advocate’s Office notified law enforcement, moved to quickly reinforce security measures, and took the steps necessary to ensure that no stolen data was in the public domain. Additionally, the Public Advocate’s Office has contacted all individuals whose information may have been compromised and anyone with questions or concerns can contact the Public Advocate’s Office at 212-669-7250.
Who can I contact if I have questions or concerns about information I submitted through the Public Advocate’s website?
You can contact the Public Advocate’s Office by calling 212-669-7250.
What steps can I take to protect myself online?
Individuals who believe their information may have been compromised during this security breach are advised to not open any unsolicited emails and notify the Public Advocate’s Office of any suspicious activity, such as SPAM or unsolicited emails asking for personal information with reference to the Public Advocate’s Office. To learn more about email scams and how to protect yourself online, please visit http://onguardonline.gov for helpful information.
First of all, this is not a “may have been accessed” situation. They were accessed, they were acquired, and they were dumped on the web.
Nor do I believe it accurate to say that “Most of these submissions only include basic information such as a name and email address and no other personal information.” If people are contacting the advocate, it’s for a reason, and often a personal one that they need help with.
So while I credit the agency for disclosing the breach, I disagree with their description of its scope. See my previous post on this breach. While some submissions were relatively innocuous, some were deeply personal, detailing the individuals’ problems with public assistance, job problems, their health issues, etc. I declined to post specific examples, and will continue to decline to post what I saw, but I certainly wouldn’t want such personal submissions out in the public view and wish the public advocate’s office had been more forthcoming about the breach.