New York Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

New York is home to some of the largest financial institutions, healthcare systems, and law firms in the world — and that concentration of high-value data makes the state a persistent target for cybercriminals. From Wall Street banks holding trillions in assets to city agencies managing millions of residents' personal information, the attack surface across New York is staggering in both scale and complexity.

Understanding the state's breach history is not an academic exercise. Each incident below reveals patterns that New York businesses of every size should study: the attack vectors that succeeded, the regulatory consequences that followed, and the defensive gaps that allowed the breach to happen in the first place. New York's cybersecurity compliance requirements have tightened significantly in response to these events.

Major Cyber Incidents in New York (Timeline)

The following incidents represent some of the most significant cybersecurity events affecting New York-based organizations. Each one shaped regulatory responses and industry practices in measurable ways.

Capital One Data Breach (2019)

In July 2019, a former Amazon Web Services employee exploited a misconfigured web application firewall to access Capital One's cloud-hosted data. The breach exposed personal information of approximately 106 million customers and applicants across the United States and Canada, including 140,000 Social Security numbers and 80,000 linked bank account numbers. Capital One, headquartered in Virginia but with major operations in New York, ultimately paid over $190 million in settlements and an $80 million fine from the Office of the Comptroller of the Currency.

First American Financial Corporation (2019)

First American Financial, one of the largest title insurance companies in the US with significant New York operations, exposed approximately 885 million records dating back to 2003. The records included Social Security numbers, bank account details, mortgage documents, tax records, and wire transaction receipts. The exposure resulted from a website design flaw known as an insecure direct object reference (IDOR), which allowed anyone with a valid document link to access other records simply by modifying the URL. The SEC charged First American with cybersecurity disclosure violations in 2023.

New York City Law Department Hack (2021)

In June 2021, the New York City Law Department — the legal arm representing the city in all litigation — suffered a cyberattack that forced the office to disconnect from the city's network. The attack disrupted thousands of pending cases and temporarily prevented attorneys from accessing case files, emails, and critical legal documents. The breach exposed the vulnerability of government legal operations and the cascading effects a single compromised system can have on municipal functions.

Suffolk County Ransomware Attack (2022)

In September 2022, the BlackCat (ALPHV) ransomware group attacked Suffolk County on Long Island, one of the most populous counties in New York. The attack crippled county government operations for months, taking down email systems, disabling the county clerk's office, disrupting the 911 dispatch system, and forcing a return to paper-based processes. The county estimated recovery costs exceeding $17 million. Investigators traced the initial compromise to an unpatched Log4j vulnerability in a county-operated web application.

Excellus BlueCross BlueShield (2015)

Rochester-based Excellus BlueCross BlueShield disclosed that hackers had accessed the personal information of approximately 10.5 million individuals over a period spanning December 2013 to May 2015. Compromised data included names, dates of birth, Social Security numbers, member ID numbers, financial account information, and claims data. The breach went undetected for over 18 months. Excellus paid $5.1 million to settle HIPAA violation charges with the Department of Health and Human Services.

Syracuse University Data Breach (2020)

Syracuse University notified students and employees after an unauthorized party gained access to an employee's email account, exposing personal data including names, Social Security numbers, and financial aid information. The incident highlighted the vulnerability of higher education institutions, which manage vast quantities of sensitive student and research data with often limited cybersecurity budgets.

NYC Health + Hospitals (2021)

New York City's public hospital system reported unauthorized access to employee email accounts, potentially exposing patient information including names, dates of birth, medical record numbers, and in some cases Social Security numbers and treatment information. As the largest public health care system in the United States serving over a million patients annually, the breach underscored the cybersecurity challenges facing healthcare organizations.

Morgan Stanley Data Breaches (2020–2021)

Morgan Stanley disclosed two separate data breach incidents involving the improper disposal of legacy IT equipment. Decommissioned data center servers and other hardware containing unencrypted customer data were sold to a third party without proper data wiping. The breaches affected approximately 15 million customers. The OCC fined Morgan Stanley $60 million, and a $60 million class action settlement followed. These incidents demonstrated that data security extends well beyond active systems to end-of-life hardware management.

New York's Data Breach Notification Law

New York enacted the SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) in 2019, significantly expanding the state's previous data breach notification requirements under NY General Business Law §899-aa. The SHIELD Act was a direct legislative response to the escalating frequency and severity of breaches affecting New York residents.

Broadened Definition of Private Information

The SHIELD Act expanded the definition of 'private information' beyond traditional identifiers. In addition to Social Security numbers, driver's license numbers, and financial account numbers, the law now covers biometric information, email addresses combined with passwords or security questions, and account numbers or credit/debit card numbers even without a security code if the data could be used to access the account.

Reasonable Safeguards Requirement

Unlike the original notification law, the SHIELD Act imposes affirmative data security requirements. Businesses that own or license the private information of New York residents must implement 'reasonable safeguards' across three categories: administrative safeguards (designating a security coordinator, employee training, vendor management), technical safeguards (risk assessment, intrusion detection, secure data disposal), and physical safeguards (detecting and preventing unauthorized access to physical systems).

Small businesses — defined as those with fewer than 50 employees, under $3 million in gross revenue for the past three years, or under $5 million in year-end total assets — may implement a security program appropriate for their size and complexity. However, they are not exempt from the requirement entirely.

Which New York Industries Are Most Targeted?

While no industry is immune, New York's economic profile creates distinct concentrations of cyber risk that attackers actively exploit. The state's threat landscape reflects its dominant industries.

Financial Services

Wall Street and the broader New York financial sector represent the highest-value target in the state. Banks, hedge funds, private equity firms, insurance companies, and fintech startups all process enormous volumes of financial data. The NY Department of Financial Services (DFS) has responded with 23 NYCRR 500, one of the most prescriptive cybersecurity regulations in the country, precisely because the industry faces constant, sophisticated attacks from both criminal groups and nation-state actors.

Healthcare

New York's healthcare sector — spanning major hospital systems like NYU Langone, Mount Sinai, and Northwell Health along with thousands of smaller practices — faces relentless targeting for protected health information (PHI). Medical records command premium prices on dark web marketplaces because they contain the combination of personal, financial, and insurance data needed for identity fraud and insurance scams.

Law Firms

New York City houses more large law firms than any other city in the world. These firms hold extraordinarily sensitive information: M&A deal data, litigation strategies, intellectual property, and attorney-client privileged communications. A breach at a major firm can affect thousands of clients across multiple industries.

Media and Publishing

Major media organizations headquartered in New York — from television networks to global newspaper publishers — face both traditional cybercrime and ideologically motivated attacks. Newsroom systems, source databases, and unpublished investigative material are all high-value targets.

State and Local Government

As the Suffolk County attack demonstrated, New York's state and local government agencies face significant cybersecurity challenges. Aging infrastructure, budget constraints, and the vast amount of resident data these agencies manage create persistent vulnerabilities that ransomware groups actively seek out.

What New York Businesses Must Do After a Breach

The SHIELD Act and related New York regulations impose specific obligations when a data breach occurs. Failure to follow these steps can result in penalties of up to $5,000 per violation from the New York Attorney General.

SHIELD Act Compliance Checklist for Breach Response

• Determine the scope: Identify what private information was accessed, the number of affected individuals, and the attack vector used

• Notify the New York Attorney General: Submit written notification to the AG's office describing the breach, the categories of information compromised, and the timeline of events

• Notify the Division of State Police: Concurrent notification to the NYS Division of State Police is required under GBL §899-aa

• Notify the Department of State: If the breach involved security breach notification triggers under the SHIELD Act, the Department of State must also be notified

• Notify affected individuals: Written, electronic, or substitute notice must be provided to every New York resident whose private information was compromised

• Notify consumer reporting agencies: If more than 5,000 New York residents are affected, the business must also notify consumer reporting agencies

• Document everything: Maintain records of the breach investigation, notifications sent, and remediation steps taken for at least five years

• Engage forensic investigation: While not explicitly required by statute, regulators and courts expect a professional forensic investigation to determine the root cause and full extent of the compromise

How to Protect Your New York Business

Preventing breaches requires a layered security approach that addresses both the SHIELD Act's reasonable safeguards requirement and the practical realities of the current threat environment.

• Implement endpoint detection and response (EDR): Traditional antivirus is no longer sufficient. EDR solutions provide real-time monitoring, behavioral analysis, and automated response capabilities across all endpoints

• Deploy multi-factor authentication everywhere: MFA remains the single most effective control against credential-based attacks, which account for the majority of initial access in New York breaches

• Conduct regular penetration testing: Annual penetration tests — at minimum — identify exploitable vulnerabilities before attackers do

• Train employees continuously: Security awareness training should be ongoing, not annual. Phishing simulations, social engineering awareness, and incident reporting procedures should be reinforced regularly

• Maintain tested backup and recovery plans: Backups that have never been tested are not backups. Regularly test restoration procedures and ensure backups are isolated from production networks to prevent ransomware encryption

Understanding what managed IT services include and how managed security services work can help New York businesses evaluate whether outsourced security support fits their risk profile and compliance obligations.

Frequently Asked Questions

Does the SHIELD Act apply to businesses outside New York?

Yes. The SHIELD Act applies to any person or business that owns or licenses the private information of New York residents, regardless of where the business is located. If you hold data on New York residents, you are subject to both the notification requirements and the reasonable safeguards mandate.

What are the penalties for failing to notify after a breach in New York?

The New York Attorney General can impose civil penalties of up to $5,000 per violation of the notification provisions. Courts have interpreted 'per violation' to mean per individual not properly notified, which means penalties can accumulate rapidly in large-scale breaches. Additionally, the AG has brought enforcement actions seeking injunctive relief and additional penalties under the state's general consumer protection statutes.

How quickly must New York businesses notify after discovering a breach?

The SHIELD Act requires notification in the 'most expedient time possible and without unreasonable delay.' Unlike some states that specify a fixed number of days (such as 30 or 60), New York uses a reasonableness standard. However, for breaches involving biometric data, the law imposes a specific 10-business-day notification window. In practice, regulators expect notification within 30 to 60 days of discovery.

What is the difference between the SHIELD Act and 23 NYCRR 500?

The SHIELD Act (GBL §899-aa) is a general-purpose data breach notification and security law that applies to all businesses holding New York residents' private information. 23 NYCRR 500 is the NY Department of Financial Services Cybersecurity Regulation, which applies specifically to DFS-regulated entities — banks, insurance companies, mortgage brokers, and other financial services firms. DFS 500 is far more prescriptive, requiring specific controls like encryption, multi-factor authentication, penetration testing, and a dedicated Chief Information Security Officer (CISO). Covered entities must comply with both.

Are small businesses exempt from New York's cybersecurity requirements?

No. Small businesses are not exempt from the SHIELD Act. However, the law provides a scaled compliance standard: businesses with fewer than 50 employees, under $3 million in gross revenue for three consecutive years, or under $5 million in year-end total assets may implement a security program appropriate to their size and complexity. They must still implement reasonable safeguards — the bar is simply adjusted to what is reasonable for their resources.