Cyber Incident Victim: Research Foundation for the State University of New York

On May 22, 2021, unauthorized actors gained access to the Research Foundation for the State University of New York's network, initiating a cybersecurity incident that persisted undetected for nearly seven weeks. The intrusion remained active until July 9, 2021, when the foundation's security team eventually discovered suspicious network activity on July 14, 2021. Forensic investigations confirmed that attackers exfiltrated sensitive personal information during this period, specifically targeting names and Social Security numbers stored within the organization's systems. The foundation did not report observing any ransom demands or communication from threat actors, nor did they disclose technical details regarding the initial attack vector or malware used in the compromise. Internal detection mechanisms failed to identify the breach during its active phase, with discovery occurring five days after the attackers' last observed network activity.

The foundation formally notified 46,734 affected individuals via mailed letters dated August 13, 2021, approximately one month after discovering the breach. Notification materials did not specify whether compromised records belonged to employees, donors, research participants, or other affiliated individuals, leaving the exact demographic scope undefined. No public statements detailed operational disruptions, financial losses, or specific containment measures implemented following the breach discovery. The organization offered credit monitoring and identity theft protection services to impacted parties but did not disclose the duration or terms of these remedies. Personal information exposure created significant identity theft risks for victims due to the sensitivity of stolen Social Security numbers. The foundation concluded its investigation without releasing additional technical findings regarding attacker methodologies or systemic vulnerabilities exploited during the intrusion.