On August 25, 2022, New York Racing Association (“NYRA”) confirmed that the company experienced a data breach by filing notice of the breach with the Office of the Vermont Attorney General. Evidently, the NYRA was the target of a Hive ransomware attack, which enabled the hackers to obtain access to certain information belonging to certain current and former NYRA employees. According to NYRA, the breach resulted in the first and last names, Social Security numbers, driver’s license numbers, health records, health insurance information and other personal information being compromised. Recently, NYRA sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
What We Know About the New York Racing Association Data Breach
News of the New York Racing Association data breach comes from the organization’s official filing with the Office of the Vermont Attorney General as well as a recent news source that had communicated with the hackers responsible for the attack. According to these sources, on around June 30, 2022, NYRA learned that its computer system had been encrypted in what, at the time, appeared to have been a ransomware attack.
In response, the NYRA began working with federal law enforcement authorities as well as a third-party cybersecurity firm to assist with the organization’s investigation. The investigation confirmed that the incident was a ransomware attack and that the information of certain current and former employees was accessible to the hackers.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, New York Racing Association intended to review the affected files to determine what information was compromised and which consumers were impacted. However, because the NYRA’s computer system was encrypted, it delayed the investigation. NYRA explains that it only recently completed its review of the affected files. While the breached information varies depending on the individual, it may include your first and last name, Social Security number, driver’s license number, health records, health insurance information and other personal information you provided to the New York Racing Association.
On August 25, 2022, New York Racing Association sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More recently, the Hive ransomware group took credit for the NYRA data breach, adding the organization to its list of victims. Based on this source, it appears that the hackers’ demands were unmet, as they recently posted a link that allows anyone to download the stolen information.
If you currently work for or at one time were employed by the New York Racing Association, your personal information may have been leaked in the recent data breach. Given the heightened risk of identity theft and other frauds, it is essential you understand what is at risk and what you can do about it. To learn more about the New York Racing Association data breach, as well as what options victims of the breach may have to bring a claim against the organization, please see our recent piece on the topic here.