- BCNYS suffered a cyberattack in February, and discovered it in August
- Sensitive personal, payment, and healthcare information, was stolen
- There’s no evidence of in-the-wild abuse yet
The Business Council of New York State (BCNYS), an association representing businesses, chambers of commerce, and professional organizations across New York, has confirmed it suffered a cyberattack in which it lost sensitive information on tens of thousands of people.
The BCNYS filed a report with the Office of the Maine Attorney General, in which it confirmed the breach, and detailed the type of data that was stolen – in total, 47,329 individuals were potentially affected by the incident, when unidentified cybercriminals stole full names, Social Security numbers (SSN), dates of birth, state identification numbers, financial institution names, financial account and routing number information, payment card numbers, PINs, payment card expiration dates, taxpayer identification numbers, and electronic signature information.
It also included health data such as names of medical providers, information on medical diagnosis and conditions, prescription information, data regarding medical treatment and procedures, and healthcare insurance information.
How to stay safe
The incident apparently happened in late February 2025, but BCNYS did not notice it until early August, when it kicked off an investigation and notified relevant authorities.
So far, there is no evidence that the stolen files were used in identity theft, phishing, or other cybercrime – but of course, this doesn’t mean it’s not happening, or that it won’t happen.
Hackers can use stolen data to open bank accounts or credit lines, make unauthorized purchases, file false tax returns, and even access medical services or prescriptions under someone else’s name.
Victims should place a fraud alert or credit freeze with the major credit bureaus, monitor bank and credit card statements daily, and sign up for identity theft protection or credit monitoring, since BCNYS does offer it, free of charge.
They should also change passwords and enable multifactor authentication on all accounts, notify their banks and insurers of potential fraud, and request an IRS Identity Protection PIN to block fake tax filings.
For the medical data, victims should review insurance Explanation of Benefits (EOB) statements and contact providers to flag any suspicious medical activity.
Via BleepingComputer
