NY Business Council discloses data breach affecting 47,000 people
The Business Council of New York State (BCNYS) has revealed that attackers who breached its network in February stole the personal, financial, and health information of over 47,000 individuals.
As the state’s largest statewide employer association, BCNYS represents over 3,000 member organizations, including chambers of commerce, professional and trade associations, and other local and regional business organizations, as well as some of the largest corporations worldwide, which employ more than 1.2 million New Yorkers.
According to a filing with Maine’s attorney general, BCNYS is now notifying 47,329 individuals potentially affected by this data breach that the attackers had access to its internal systems between February 24 and February 25.
The business council detected the breach almost six months later, on August 4, and, following an investigation into the incident’s impact, discovered that the threat actors had accessed and stolen files containing personal, financial, or medical information.
“Upon detecting the unauthorized activity, BCNYS immediately contained the incident and launched a thorough investigation. As a part of the investigation, BCNYS engaged leading outside cybersecurity professionals to secure the environment and to identify the scope of what personal information, if any, was involved,” it said in breach notification letters mailed to affected individuals.
“To date, we have no evidence of financial or medical fraud or identity theft related to this incident. Nevertheless, we will be providing notice of the incident to the individuals whose personal information was potentially impacted.”
During the incident, the attackers stole a combination of full names, Social Security numbers, dates of birth, state identification numbers, financial institution names, financial account and routing number information, as well as payment card numbers, payment card access PINs, payment card expiration dates, taxpayer identification numbers, and electronic signature information.
BCNYS added that the health data exposed in the attack includes medical provider name, medical diagnosis or condition information, prescription information, medical treatment or procedure information, and health insurance information.
The business council will provide free credit monitoring memberships to those whose Social Security numbers have been exposed, and urged individuals impacted by this data breach to monitor their account statements for identity theft attempts and their free credit reports for suspicious activity.
A BCNYS spokesperson was not immediately available for comment when contacted by BleepingComputer.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Source link