Cyber Incident Victim: New York States Joint Commission on Public Ethics

On or around February 18, 2022, the New York State Joint Commission on Public Ethics (JCOPE) experienced a deliberate malicious cyber-attack that forced the shutdown of its systems. The New York Office of Information Technology Services (ITS) first detected suspicious activity on JCOPE’s network at the beginning of the preceding week, triggering an alert that prompted immediate containment measures. JCOPE proactively disabled critical systems, including its online lobbying application and financial disclosure statement filing platform, to prevent potential escalation. Following several days of preliminary forensic analysis by ITS, officials confirmed the cyber-attack’s occurrence, though the scope remained under investigation. No timeline was established for restoring operations, with systems remaining offline indefinitely until security could be assured. The Commission initiated an internal investigation but had not identified suspects or confirmed whether user data or agency information was compromised at the time of reporting.

JCOPE engaged multiple law enforcement and regulatory partners, including the New York State Police, the Office of the Attorney General, and the Department of State’s Consumer Protection Division, to investigate the incident and address potential legal obligations arising from a system breach. The Commission began notifying lobbying entities and financial disclosure filers about the security incident and its operational impacts. Automatic extensions were granted for submissions due during the outage, with the duration to be determined post-recovery. Executive Director Sanford Berland emphasized safeguarding the integrity and security of data entrusted to JCOPE as the agency’s paramount priority throughout the response. Restoration efforts and forensic work continued without public disclosure of technical specifics regarding the attack vector or compromised assets.