State Comptroller Thomas P. DiNapoli's Weekly News - October is Cybersecurity Awareness Month

October is Cybersecurity Awareness Month

This month, State Comptroller DiNapoli highlights the rise in cybercrime and the serious threat it poses to New York State and its local governments in two recently released reports. Cyberattacks in New York State increased 53% between 2016 and 2022. Estimated losses in New York from cyberattacks in 2022 totaled over $775 million, while losses nationwide totaled $10.3 billion. DiNapoli’s Cyberattacks on New York’s Critical Infrastructure report details the recent proliferation of cyberattacks, the most common types, and discusses efforts to respond to and prevent such attacks.

In New York, cyberattacks have impacted local governments and schools both large and small, including reported attacks at counties including Albany, Chenango, Erie, Nassau, Schenectady, Suffolk, and Schuyler; cities including New York, Albany, Buffalo, Yonkers, Long Beach, and Olean; and towns including Brookhaven, Ulster, Canandaigua, and Moreau. In a second report, DiNapoli's office recommends local government and school officials treat cybersecurity risks as they do any other hazard they encounter: identify the risks, reduce their vulnerabilities, and plan for contingencies.

“Cyberattacks are a serious threat to New York’s critical infrastructure, economy, and our everyday lives,” said DiNapoli. “Data breaches at companies and institutions that collect large amounts of personal information expose New Yorkers to potential invasions of privacy, identity theft, and fraud. Also troubling is the rise in ransomware attacks that can shut down systems we rely on for water, power, health care and other necessities. Safeguarding New York from cyberattacks requires sustained investment, coordination, and vigilance.”

Read More

MTA Avoided A Fiscal Crisis, Now It Has To Convince Riders To Come Back

In a turnaround from the fiscal crisis it faced a year ago, the Metropolitan Transportation Authority (MTA) today stands on firmer financial ground, largely because the state budget provided dedicated sources of revenue to close projected budget gaps, according to State Comptroller DiNapoli’s annual report on the MTA’s fiscal outlook. With this improved financial picture, the burden is now on the MTA to improve the region’s transit system and win riders back, while keeping its budget balanced, DiNapoli’s analysis concludes.

Read More

Audits

• Metropolitan Transportation Authority – New York City Transit: Risk Assessment and Implementation of Measures to Address Extreme Weather Conditions
• Department of State – Implementation of the Security Guard Act
• Department of Transportation – Compliance With Freedom of Information Law Requirements
• New York Power Authority – Selected Management and Operations Practices: BuildSmart NY/Executive Order 88
• State Education Department – Adult Career and Continuing Education Services: Vocational Rehabilitation Supported Employment Program
• State Education Department – Oversight of Mental Health Education in Schools
• New York City Office of Technology and Innovation – LinkNYC Program Revenues and Monitoring
• Medicaid Program – Recovering Managed Care Payments for Inpatient Services on Behalf of Recipients With Third-Party Health Insurance
• Department of Health: Medicaid Program – Improper Medicaid Payments for Claims Not in Compliance With Ordering, Prescribing, Referring, and Attending Requirements
• New York State Health Insurance Program – UnitedHealthcare Insurance Company of New York: Overpayments for Physician-Administered Drugs
• New York State Health Insurance Program – Empire BlueCross: Overpayments for Physician- Administered Drugs
• Department of Civil Service – New York State Health Insurance Program: Incorrect Payments by CVS Caremark for Medicare Rx Drug Claims That Were Improperly Paid Under the Commercial Plan

Municipal & School Audits Cattaraugus County Town of Orangeville Wallkill Central School District

ALSO IN THE NEWS THIS WEEK

_{Note: Some news links may require a paid subscription.} 

• MTA must grow ridership for sound fiscal future, says NY state Comptroller Thomas DiNapoli

• The N.Y.C. Subway Is No Longer Broke. Can It Buy Rider Happiness?
  
  
• Deputy comptroller assesses MTA’s financial needs, future plans
  
  
• State Comptroller Report Faults MTA for Lack of Climate Change Plans
  
  
• New York ranks third most vulnerable state for cybercrime, as ransomware grows: State Comptroller
  
  
• Report: Cyberattacks in New York increased 53% between 2016 and 2022 
  
  
• New York Comptroller DiNapoli on Sustainability
  
  
• Transparency Needed as NYC Moves Forward with Difficult Budget Choices: DiNapoli 

Post of the Week 
Tom DiNapoli @NYSComptroller 

Frank James Sentenced to Life in Prison for Subway Mass Shooting

 

 Defendant Fired 32 Rounds, Wounding 10 Defenseless Victims Before His Gun Jammed on Crowded Subway Car in Brooklyn in April 2022

Frank James, 62, of Milwaukee, Wisconsin, was sentenced by U.S. District Judge William F. Kuntz II to 10 concurrent life sentences in prison, plus 10 years to run consecutively for shooting 10 people during an attack on the New York City subway in Sunset Park, Brooklyn, on April 12, 2022. James previously pleaded guilty to all 11 counts of a superseding indictment, which included 10 counts of committing a terrorist attack or other violence against a mass transportation vehicle – one count for each gunshot victim – and one count of discharging a firearm in furtherance of his violent attack.

“Nothing can undo the damage that Frank James’s mass shooting inflicted on the 10 victims who were shot or the dozens more who suffered other injuries, but this sentence ensures that he will spend the rest of his life in prison for the devastation he caused,” said Attorney General Merrick B. Garland. “This sentence also makes clear that the Justice Department has no tolerance for crimes that terrorize our communities and will ensure accountability for those who perpetrate them.”

“Whenever domestic violent extremists violate our laws and commit heinous acts of violence against the American public, the FBI will work hand in hand with our law enforcement partners at all levels to pursue justice for the victims and hold criminals accountable for their abhorrent actions,” said FBI Director Christopher Wray. “The public we serve deserves nothing less.”

“In an act of cold-blooded terrorism, this defendant shot 32 rounds at defenseless victims trapped in a subway car during their rush hour commute,” said Director Steven Dettelbach of the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). “ATF agents immediately responded to the scene of the shooting and joined their state, local and federal law enforcement partners in the investigation. When a gun was recovered on the subway platform, ATF conducted an urgent trace of the crime gun to identify the purchaser, ultimately leading to the name of the shooter. Today’s sentence not only reflects the heinousness of the crimes committed, but it reflects the extraordinary work of all the law enforcement and prosecutors involved. It takes the best of the best to catch the worst of the worst.”

“This sentence delivered the necessary penalty for Frank James who callously carried out a terroristic mass shooting on a crowded subway car, intentionally attempting to kill innocent people, and spilling much blood,” said U.S. Attorney Breon Peace for the Eastern District of New York. “He wounded 10 victims in his planned out attack and affected the lives of many more. Every one of the victims who experienced that horror feared that they would never see their children or loved ones again. It is appropriate that the defendant will never know freedom again and will spend the rest of his life in prison so that no one can be harmed further by him. I hope that this sentence brings some closure to the many victims of this violent attack and brings comfort to the city at large in knowing that justice was done.”

During rush hour on the morning of April 12, 2022, James used a Glock 17 pistol he legally purchased to conduct a mass shooting on an N subway train in Brooklyn. James planned his act of terror for years – purchasing smoke bombs, disguises, firearms, and ammunition. He scouted the location for his attack and completed multiple practice runs. As part of his attack, James, disguised in an orange reflective jacket and yellow hard hat to look like a Metropolitan Transportation Authority (MTA) employee, set off a smoke-bomb in a subway car before opening fire on his captive victims. Panicked passengers ran to the far end of the subway car, allowing James to shoot at his victims more easily. When the defendant started shooting, the train was between stations and then temporarily stalled, leaving victims trapped. In total, 10 victims were struck by 16 bullets fired by the defendant. Dozens more suffered from smoke inhalation and other mental and physical injuries due to the defendant’s attack. James then fled the scene of the attack, changing his clothing frequently to evade detection while law enforcement engaged in a 36-hour manhunt to find him and bring him to justice.   

At some point after the shooting, James purchased a burner phone which he used to follow the coverage of his attack while hiding from law enforcement. For example, James watched 31 videos of news reports about his subway shooting. He also watched a James Bond chase scene from the movie “No Time to Die” 10 times after the attack. Finally, James turned himself in by calling the NYPD crime stoppers hotline on April 13, 2022, the day after the mass shooting.

The New York Joint Terrorism Task Force investigated the case, with valuable assistance provided by the Metropolitan Transportation Authority (MTA) and the ATF.

Attorney General James and Multistate Coalition Secure $49.5 Million from Cloud Company for Data Breach

 

Blackbaud’s 2020 Data Breach Exposed Donor Information of Thousands of Nonprofit Organizations Nationwide Multistate Investigation Found Blackbaud Failed to Implement Strong Data Security Measures to Protect Donors’ Personal Information from Data Breaches

New York Attorney General Letitia James and a multistate coalition of 50 attorneys general reached a $49.5 million agreement with cloud company Blackbaud over a massive data breach that impacted thousands of nonprofit institutions, including charities, colleges and universities, and health care organizations in New York and across the country. Blackbaud provides donor data management software and, in 2020, experienced a data breach that exposed the personal information of its customers and millions of their donors and constituents. As a result of today’s agreement, Blackbaud has agreed to overhaul its data security and breach notification practices and pay $49.5 million to the affected states, of which New York will receive $2.9 million.

“New Yorkers, and all Americans, deserve to know that their personal information is secure and protected,” said Attorney General James. “Blackbaud was supposed to safeguard the private information held by nonprofits regarding donors and customers, but instead its poor data security measures put everyone at risk. There is no excuse for a cloud company to have poor data security measures. As data breaches become more pervasive, my office will continue to ensure companies are securing their networks against these attacks.”

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, and healthcare, religious, and cultural organizations. Blackbaud’s customers use its software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information. This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 institutions that were Blackbaud customers and millions of their respective consumer constituents. Blackbaud paid the threat actor a ransom and was provided evidence that the stolen data was deleted.

Thousands of New York institutions were affected by Blackbaud’s data breach. A full list can be found here.

This settlement resolves claims made by Attorney General James and the coalition of 50 attorneys general that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA. The multistate investigation found that Blackbaud failed to implement reasonable data security and fix known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network. Following the breach, Blackbaud neglected to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. As a result, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all, as Blackbaud downplayed the incident and led its customers to believe that no notification was required.

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including:

• Discontinuing misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
• Implementing and maintaining incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
• Updating breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.
• Improving security incident reporting to the CEO and board, employee training, and appropriate resources and support for cybersecurity.
• Applying personal information safeguards and controls requiring total database encryption and dark web monitoring.
• Using specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
• Implementing third-party assessments of Blackbaud’s compliance with the settlement for seven years.

Joining Attorney General James in today’s multistate agreement are the attorneys general of Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

This agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. This past May, Attorney General James secured $300,000 from Sports Warehouse for failing to protect the data of 2.5 million customers. Also in May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In December 2022, Attorney General James secured $200,000 from student cap and gown producer Herff Jones for failing to protect consumers’ personal information. In October 2022, Attorney General James announced a $1.9 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers. In June 2022, Attorney General James secured $400,000 from Wegmans and required the retailer to improve data storage security after a data breach exposed consumers’ personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect their personal information following a data breach.

Bronx Man Sentenced To 22 Years In Prison For Drug-Related Shooting On Crowded Manhattan Sidewalk

 

Damian Williams, the United States Attorney for the Southern District of New York, announced that MICHAEL ROWE, a/k/a “MJ,” was sentenced to 22 years in prison for shooting another man over a $150 drug debt on a crowded sidewalk in Hell’s Kitchen on April 29, 2023.  ROWE was sentenced today by U.S. District Judge Denise L. Cote.

U.S. Attorney Damian Williams said: “Michael Rowe resorted to a reckless act of violence when his victim failed to pay him just $150.  Rowe could have taken someone’s life on that crowded sidewalk in Hell’s Kitchen over a trivial drug debt, but fortunately, no bystanders were hurt, and the victim survived his injuries.  Thanks to the quick work of our law enforcement partners and the prosecutors of this Office, Rowe now faces prison time for his dangerous behavior.”

According to the Complaint and Information, as well as statements by the Government and defense in connection with the plea and sentencing proceedings in this case:

On or about April 29, 2023, ROWE got into a disagreement with another individual (the “Victim”) on the sidewalk in the vicinity of 650 Ninth Avenue in Manhattan.  ROWE had given the Victim a quantity of cocaine base to sell, and the Victim had failed to pay ROWE a debt of $150.  After they exchanged words, ROWE brandished a firearm and shot the Victim several times as the Victim stood among other bystanders.  ROWE shot the Victim in the leg, among other places, and the Victim was hospitalized with serious physical injuries.  Video footage from the scene shows ROWE pointing the gun and shooting the Victim, as others in the area fled for safety.

ROWE (in black) and the Victim (in blue) Arguing

ROWE Shooting the Victim

ROWE, 23, of the Bronx, New York, pled guilty to possessing ammunition after sustaining three prior felony convictions for violent felonies and serious drug offenses and to conspiring to distribute cocaine base.  In addition to the prison term, ROWE was sentenced to five years of supervised release.

Mr. Williams praised the outstanding investigative work of the FBI and the NYPD.  Mr. Williams also thanks the Bureau of Alcohol, Tobacco, Firearms, and Explosives for its assistance in this case.

Following Historic Storm and Flooding, Comptroller Lander Launches Investigation Into City’s Management of Extreme Rainfall

 

Constructive investigation announced with support from Mayor Adams as Tropical Storm Ophelia capped off second wettest September since 1882

New York City Comptroller Brad Lander announced his office is launching an investigation into the City’s ability to manage extreme rainfall, after Tropical Storm Ophelia shut down subway lines, damaged basements and flooded streets last week. The investigation will evaluate how the City is implementing the policies and protocols it set forth after Hurricane Ida. The goal is to learn from the impact of and response to Ophelia, in order to more effectively prepare for and respond to future extreme rainfall events.

“Last week’s brutal storm was just the latest example of extreme weather that is sadly becoming our new climate reality,” Comptroller Lander said. “To ensure the City can respond as effectively as possible to keep New Yorkers safe from increasingly strong and frequent storms, we must make sure we’re implementing the plans we’ve made, and doing everything we reasonably can to accelerate action.”

“We’re proud of the tireless work and swift response from thousands of city workers in response to last week’s flooding, which ensured we did not have a single reported death or serious injury, and that we were able to quickly rescue 18 New Yorkers from cars and basement apartments, but there is always more work to do to ensure the safety of our city’s residents,” said Mayor Adams. “Infrastructure upgrades we made across the city in this administration, including in the Jewel Streets neighborhood of Queens, helped alleviate flooding within hours, rather than within the weeks it took during Hurricane Ida two years ago. At the same time, our administration is thinking creatively and acting aggressively to prepare New Yorkers and our city for the ever-growing threat of severe storms — including through our Capital Process Reform Task Force with Comptroller Lander, which has put forward reforms to accelerate major infrastructure projects. We look forward to working with the comptroller on a fair, thorough, and balanced review to ensure our city is equipped as these storms become increasingly frequent and severe.”

When Hurricane Ida hit in September 2021, it brought the heaviest rainfalls New York City has ever seen. The rains lasted eight hours and fell at an unprecedented level of intensity that exceeded the capacity of the City’s sewer system. Tragically, 13 people lost their lives, 11 of whom were horrifically trapped in basement apartments.

In response to Hurricane Ida, the City unveiled action items for future extreme weather events, laid out across several plans. It convened an Extreme Weather Response Task Force of interagency staff who issued a new set of protocols and policies for combatting heavy rainstorms in a report issued later that same month called The New Normal. In 2022, the Adams Administration released Rainfall Ready, a plan that outlines actions for the City to take to address intense storms, along with key safety precautions. The City received $188 million through HUD CDBG-Disaster Recovery funding in 2022 to carry out an action plan for long-term Hurricane Ida recovery efforts.

Using the near- and long-term action items laid out in these post-Ida plans, Lander’s office will assess the City’s progress in implementing its commitments, as well as what other actions are necessary. For near-term actions that were to be enacted immediately, the office will review how well those measures have been integrated into the City’s emergency response, and to what extent they were followed for Tropical Storm Ophelia. The investigation will also review whether longer-term initiatives, such as capital infrastructure improvements, are on track, and consider recommendations for accelerating or expanding those actions.

“Before the next extreme weather event, we must ensure our City has effectively adopted all of the lessons we learned from recent storms,” Louise Yeung, the Comptroller’s Chief Climate Officer, said. “These types of rainstorms are only becoming more frequent – and our efforts to prepare must escalate accordingly.”

“Since Hurricane Ida’s devastating impact on New York City, the city has taken aggressive action to prepare for the ever-greater threat of severe storms,” said Chief Climate Officer and DEP Commissioner Rit Aggarwala. “We continue to implement the next generation of stormwater solutions — both quick fixes and more significant long-term upgrades. We’re committed to collaborating closely with Comptroller Lander’s office to accelerate the work and fight for funding as we make New York City more resilient.”

“As Tropical Storm Ophelia reminded us, environmental justice communities across New York City are on the front lines of the damage and danger brought by climate change-fueled storms,” said Eddie Bautista, Executive Director of the New York City Environmental Justice Alliance. “Low-income communities of color in Brooklyn and Southeast Queens who once again saw their homes, subways, and streets inundated by extreme rain cannot wait any longer for the physical and communications infrastructure need to protect their lives and property. The City must move with urgency to do everything it can to ensure the safety and resiliency of frontline communities.”

Read Lander’s letter to Mayor Eric Adams about the investigation.