Cyber Incident Victim: Broome County

Between November 20, 2018, and January 2, 2019, an unauthorized individual gained access to a Broome County employee email account. The attacker subsequently leveraged credential harvesting techniques to compromise several additional county accounts containing sensitive personal information. This prolonged access period enabled the exposure of data belonging to both county employees and individuals receiving county services. The compromised information included highly sensitive details such as Social Security numbers, medical records, and bank account information. County officials confirmed the breach through a news release distributed by Mullen Coughlin LLC, a Pennsylvania-based law firm specializing in data breach response. The incident remained undetected for approximately six weeks until January 2, 2019, when unauthorized changes to an employee's direct deposit information triggered an internal alert. This discovery prompted the county to initiate a formal investigation into the security breach.

The investigation revealed that the attacker's unauthorized access potentially affected multiple systems beyond the initial compromised email account. While the exact number of impacted individuals wasn't disclosed, the breach endangered both employee data and client information from county care programs. Broome County publicly acknowledged the exposure of financial data, medical history, and government identification numbers through its official statement. No information was provided regarding whether the exposed data was exfiltrated or merely accessed. The county engaged legal counsel specializing in data breaches to manage incident response and public communications. This breach highlighted risks associated with credential-based attacks on government systems handling sensitive health and financial information.