DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

New York City Public Advocate notifies web site submitters of security breach, but did they downplay its scope?

Posted on December 28, 2011 by Dissent

It felt like an exercise in futility, but on Christmas Day, I started making phone calls to alert the NYC Office of the Public Advocate that their database had been hacked and personal and sensitive information of those seeking assistance had been exposed.

No one ever called me back, but having provided specific details to the police officer I spoke to about what I had seen in the data dump, I  was glad to note that the data dump was removed from the web.

Now I see that the agency has also posted a public notice, linked from its home page. The notice, however, appears to downplay the amount of personal information that was acquired and dumped on the web:

During the Christmas holiday weekend, the New York City Public Advocate’s website was the target of a sophisticated cyber-attack.

Email correspondence and our internal contact management system were not accessed or exposed in any way. Information that website users submitted through forms on the website may have been accessed. Most of these submissions only include basic information such as a name and email address and no other personal information.

The Public Advocate’s Office has contacted all people whose information may have been compromised during the attack and advised these individuals to notify us if they receive any suspicious communications such as SPAM or unsolicited emails asking for personal information with reference to the Public Advocate’s Office. Additionally, anyone with questions or concerns can contact the Public Advocate’s Office at 212-669-7250.

We take the security of your information as the highest priority, and our office employs a website management system and protocols that emphasize security and privacy protection. We are currently working with various law enforcement agencies to further investigate the matter and we will assist the investigation in any way we can.

Additional Q&A:

What information was accessed by the hackers?

Following the security breach, the hackers accessed the raw data that powers the Public Advocate’s website. This includes webpage content, including embedded user comments and information submitted through forms on the website. Most of these user comments and submissions only include basic information such as a name and email address and no other personal information. The underlying website server was not breached during the attack. In addition, email correspondence and our internal contact management system were not accessed or exposed in any way.

What steps have been taken in response to the website security breach?

Upon learning of the website security breach, the Public Advocate’s Office notified law enforcement, moved to quickly reinforce security measures, and took the steps necessary to ensure that no stolen data was in the public domain. Additionally, the Public Advocate’s Office has contacted all individuals whose information may have been compromised and anyone with questions or concerns can contact the Public Advocate’s Office at 212-669-7250.

Who can I contact if I have questions or concerns about information I submitted through the Public Advocate’s website?

You can contact the Public Advocate’s Office by calling 212-669-7250.

What steps can I take to protect myself online?

Individuals who believe their information may have been compromised during this security breach are advised to not open any unsolicited emails and notify the Public Advocate’s Office of any suspicious activity, such as SPAM or unsolicited emails asking for personal information with reference to the Public Advocate’s Office. To learn more about email scams and how to protect yourself online, please visit http://onguardonline.gov for helpful information.

First of all, this is not a “may have been accessed” situation.  They were accessed, they were acquired, and they were dumped on the web.

Nor do I believe it accurate to say that “Most of these submissions only include basic information such as a name and email address and no other personal information.” If people are contacting the advocate, it’s for a reason, and often a personal one that they need help with.

So while I credit the agency for disclosing the breach, I disagree with their description of its scope. See my previous post on this breach. While some submissions were relatively innocuous, some were deeply personal, detailing the individuals’ problems with public assistance, job problems, their health issues, etc. I declined to post specific examples, and will continue to decline to post what I saw, but I certainly wouldn’t want such personal submissions out in the public view and wish the public advocate’s office had been more forthcoming about the breach.

Related posts:

  • New York City Public Advocate Downplay Massive Data Leak
  • ATC Healthcare, Community of Hope, The People Concern disclose breaches, Advocates notifies more people of its breach
Category: Breach IncidentsGovernment SectorHackU.S.

Post navigation

← ALCU sues state of Alaska, seeks the return of medical records seized from Ketchikan clinic
Special Forces Information Leaked from Anonymous STRATFOR Attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.