The citymeetings.nyc logo showing a pigeon at a podium with a microphone.

citymeetings.nyc

Your guide to NYC's public proceedings.
QUESTION

What is the timeline and reason for the delay in notifying affected parties about the DOE and Move It data breaches?

1:56:09

·

89 sec

The Chief Information Security Officer explains that after a vulnerability was exploited last summer, NYC partnered with DOE to mitigate the issue, but around 19,000 unique files were exposed by a third actor.

  • An analysis was conducted to identify sensitive data in the exposed files, in collaboration with an eDiscovery firm.
  • This analysis was done line-by-line to determine impacted data elements, involving the agency privacy team.
  • The notification timeline was around 60-90 days after the vulnerability disclosure to complete this analysis before notifying affected parties.
Jennifer GutiƩrrez
1:56:09
Regarding DOE and Movement, those affected by the data breaches from Move Its Software and Illuminate were apparently not notified until weeks after these incidents transpired.
1:56:21
Could you detail for the record the timeline there and why it took so long for affected parties to be notified?
Kelly Moan
1:56:28
Sure.
1:56:29
So move it was a 0 day vulnerability that was exploited last summer, very quickly upon disclosure of the vulnerabilities globally.
1:56:40
We partnered with DELE to ensure relevant mitigations were put in place.
1:56:46
Unfortunately, very quickly after We identified, again, close collaboration with the DOE team that there was a cyber incident that had taken place, and the 3rd actor was able to point information, approximately 19,000 unique files were exposed.
1:57:05
And so upon identification that relevant files were exposed, the process started to identify what if any sensitive data elements were potentially exposed as part of those files.
1:57:21
So that analysis We partnered closely with a a leading ediscovery firm to do that analysis of line by line by line to determine what data elements were impacted, and that was in close collaboration with the agency privacy team and the office of information privacy.
Jennifer GutiƩrrez
1:57:38
And what thank you.

← Previous Chapter

What audits does the New York City Cyber Command conduct to assess agency cybersecurity readiness and responsiveness?

Next Chapter →

What was the timeline for notifying the Office of Technology and Innovation (OTI) about the data breach vulnerability?
Citymeetings.nyc pigeon logo

Is citymeetings.nyc useful to you?

I'm thrilled!

Please help me out by answering just one question.

What do you do?

Thank you!

Want to stay up to date? Sign up for the newsletter.