The Social Security numbers of an estimated 26,000 Suffolk County employees and retirees may have been exposed during the Sept. 8 cyberattack on county government, County Executive Steve Bellone said Thursday.
The county will directly notify possibly impacted individuals, who include all employees eligible for the county health insurance plan, by mail beginning Friday, Bellone told Newsday.
The exposure was discovered during a forensic audit of the attack that a private company is conducting for Suffolk.
Bellone spokeswoman Marykate Guilfoyle said Bellone met with the forensic team Wednesday night and made the decision to begin notifications.
WHAT TO KNOW
- Social Security numbers of some 26,000 Suffolk County employees and retirees may have been exposed during the Sept. 8 cyberattack on county government, officials said.
- Suffolk will notify potentially impacted individuals, who include employees eligible for the county health insurance plan, by mail beginning Friday.
- County Executive Steve Bellone did not say whether the Social Security numbers were paired with other identifying information such as individuals' names or birth dates.
Guilfoyle did not say when the potential breach of Social Security numbers was discovered.
Bellone’s announcement came more than a week after he said 470,000 people who received moving violations issued by county police may have had their driver’s license numbers exposed.
Bellone acknowledged Thursday that as an employee on the county health plan, his Social Security number could have been exposed.
“I've gotten these types of notifications a number of times from corporations and businesses that I interact with,” he said. “Unfortunately, it seems to be a part of our modern world right now.”
The county will offer a year of free credit monitoring and identity theft protection by Kroll, a private Manhattan-based cybersecurity company, to individuals potentially affected by the breach.
Guilfoyle said some of the Social Security numbers were attached to names and addresses.
Kees Leune, program director of computer science at Adelphi University in Garden City, said accompanying identification is key to determining a Social Security number’s value on the "dark web," an anonymized section of the internet where criminal activity can occur.
“By itself, a Social Security number does not have much value,” Leune told Newsday.
“But when it is paired with a name and home address that changes things,” Leune said.
A Social Security number is worth about $2 on the dark web, according to a 2021 price index from Privacy Affairs, a consortium of cybersecurity professionals, technology journalists and privacy advocates.
Bellone declined to offer additional details on the forensic audit.
“Everybody is working 24/7 on this,” Bellone told Newsday. “And as soon as we're able to provide some of the factual information we'll be doing so.”
The Suffolk County Legislature has formed a special committee with subpoena power to investigate the cause of the cyberattack.
Members of the committee are expected to be announced during the legislature’s general meeting Tuesday, said Legis. Kevin McCaffrey (R-Lindenhurst), presiding officer of the legislature.
“We're going to be hiring our own experts, we're going to hire our own counsel that's going to be able to help us get to the bottom of this, to make sure that it doesn't happen again,” McCaffrey told Newsday.
Mike Skelly, spokesman for the Suffolk Association of Municipal Employees, the county’s largest public employee union, said the union was “engaging in ongoing discussions with the administration to address these issues.”
Noel DiGerolamo, president of the Suffolk County Police Benevolent Association, the county's largest police union, said he believed the county was taking the necessary steps to offer employees the proper tools to prevent identity theft.
“What I think it does show us is that municipalities are no greater protected than anyone else in our society from being victimized by those who would prey on innocent unexpecting victims,” DiGerolamo told Newsday.