NY’s Ransomware and Data Breaches Third Highest in Nation Over Six Years; Over $775 Million Lost in 2022 Alone
Cyberattacks in New York state increased 53% between 2016 and 2022, jumping from 16,426 incidents in 2016 to 25,112 in 2022. The number of attacks targeting critical infrastructure in New York state nearly doubled to 83 in the first half of 2023 compared to 48 during the entirety of last year, according to a report released today by State Comptroller Thomas P. DiNapoli.
Estimated losses in New York from cyberattacks in 2022 totaled over $775 million, while losses nationwide totaled $10.3 billion.
“Cyberattacks are a serious threat to New York’s critical infrastructure, economy and our everyday lives,” said DiNapoli. “Data breaches at companies and institutions that collect large amounts of personal information expose New Yorkers to potential invasions of privacy, identity theft and fraud. Also troubling is the rise in ransomware attacks that can shut down systems we rely on for water, power, health care and other necessities. Safeguarding our state from cyberattacks requires sustained investment, coordination, and vigilance.”
Relative to other states, New York had the third highest number of ransomware attacks (135) and corporate data breaches (238) in 2022, trailing only California and Texas for ransomware attacks and California and Florida for corporate data breaches. New York also had the fourth-highest number of cybercrime victims in the nation in 2022 with losses skyrocketing 632% since 2016.
The two most attacked critical infrastructure sectors through ransomware and data breaches in New York were Healthcare and Public Health (9) and Financial Services (8). Commercial Facilities and Government Facilities (7) tied for third.
Combatting the Threat
Securing critical infrastructure from cyberattacks will require sustained investment, coordination and vigilance. In 2022, the Governor appointed a state chief cyber officer to lead cross-agency efforts to combat cyber threats and improve the state’s critical infrastructure assets’ cybersecurity. The cyber chief leads a newly created Joint Security Operations Center, a multi-agency cybersecurity coordination hub linking New York state, New York City, local and regional governments and critical infrastructure stakeholders and federal partners for information sharing, cyber threat detection and incident response. In August, the Governor released the first statewide cybersecurity strategy, which will allow the state to access new federal funding.
The federal Cyber Incident Reporting for Critical Infrastructure Act of 2022, for which rules and regulations are being developed, will require cybersecurity reporting for critical infrastructure sectors. The creation of a centralized repository of data breach reports from across the critical infrastructure sectors would also aid in identifying new attack-vectors or exploits before they become widespread, and for coordinated responses to emerging cyberthreats. Encompassing local governments in this database would be important.
DiNapoli’s cybersecurity audits of state agencies and public authorities have found several common technical weaknesses and risks across its audits, such as entities’ misunderstanding of security risks, unsupported applications, unknown data on systems, poor access controls and a lack of monitoring of changes to systems, among others. Recommendations are provided to each agency to enable them to begin corrective actions immediately to strengthen their networks.
Cybersecurity Challenges Facing NY’s Local Governments and Schools
DiNapoli also released a report on the cybersecurity challenges facing New York’s local governments and school districts. In New York, cyberattacks have impacted local governments and schools both large and small, including reported attacks at counties including Albany, Chenango, Erie, Nassau, Schenectady, Suffolk, and Schuyler; cities including New York, Albany, Buffalo, Yonkers, Long Beach, and Olean; and towns including Brookhaven, Ulster, Canandaigua, and Moreau.
In 2019, a ransomware attack on the Syracuse City School District froze the district out of its own systems, crippling the website, email system, phones, and back-end functions like payroll and student management. Other attacks on local governments have had far reaching impacts. The September 2022 ransomware attack on Suffolk County, the ramifications of which the county is still dealing with, required the county to disable important computer systems and move many of the county’s functions back to pen and paper for months. It was a cautionary example of the potential impacts of a cyberattack, and highlighted the risk to state systems that linked local government systems could pose.
These and other recent events have demonstrated the serious risks that illegal access to these systems can pose to critical local government and school operations that rely heavily on technology. DiNapoli’s report provides guidance and resources for local governments and schools to help them manage the risks associated with cybersecurity.
Risks in Local Governments and School Districts
From 2019 through July 31, 2023, DiNapoli’s Local Government and School Accountability division released more than 190 information technology (IT) audits, finding more than 2,400 cybersecurity-related issues. The audits focused on breakdowns or gaps in fundamental cybersecurity components. The most common areas where improvement and corrective action were needed included cybersecurity governance aspects such as training in IT security awareness, policies and procedures, and the need for contingency plans. Because these cybersecurity audits are sensitive in nature, many findings and recommendations for corrective action are communicated confidentially to local government and school officials. Often the audit recommendations can be implemented at no or low cost to local governments or school districts.