Cyberattack stole passwords from state financial disclosure site

Former state employees received a surprise in their mail on Saturday: a notice that their passwords to a former state financial disclosure site were stolen in a cyberattack.

Email addresses, usernames and passwords are from the Joint Commission On Public Ethics Legacy system, which was used for financial disclosures prior to 2015.

When the theft was discovered, all passwords in the current financial disclosure system were reset, the letter says.

“Nevertheless, we understand that it is common for individuals to use the same password across multiple websites and applications,” the letter states. “As a result, we urge you to immediately change your password on any other sites where this password may have been reused and to always use complex passwords that are not repeated across different platforms.”

The letters were signed by the commission’s executive director, Sanford Berland, who apologized for the inconvenience and said the agency was taking steps to reduce the risk of another “security incident”.

Former Governor Andrew Cuomo’s spokesman was among those who received the letter. On Twitter, he immediately criticized the commission, which he called JJOKE instead of JCOPE.

“So either JJOKE has been dragging his heels for 3 months and decided to let people know their info was hacked via snail mail on a holiday weekend,” spokesperson Rich Azzopardi tweeted, “or there had ANOTHER more recent attack which has not been disclosed. Which one is it?”

During the February attack, a web server containing state filing systems for lobbying and financial disclosures had to be taken offline. At the time, officials said they did not yet know if user information had been accessed.

The commission said in a statement that the letter referred to the February attack.

Comments are closed.