Information Regarding the Legacy FDS Application Updated 6/1/2022
In response to inquiries we have received regarding the agency’s May 27, 2022 State Technology Law § 208 notice, please be advised that the file that the New York State Office of Information Technology Services (“NYS OITS”) – which manages JCOPE’s web applications and databases – believes was improperly accessed did not contain any information other than old passwords and user names for an outdated application, JCOPE’s legacy Financial Disclosure System, which was replaced in 2015 and no longer exists.
Although the password requirements for the current FDS system, which is accessed through New York government (“NY.gov”) accounts, are much more rigorous than those that were in effect 2015 and earlier, and all passwords must be changed annually – i.e., FDS filers have been required to use more complex passwords and to make multiple password changes over the intervening years – as yet another precaution, NY.gov accounts that matched against the obsolete FDS accounts were promptly flagged for a forced password reset on next login.
Finally, an extensive, in depth and lengthy forensic analysis by NYS OITS confirms that there is no evidence that JCOPE’s current system for the filing of Financial Disclosure Statements – which, by law, are available to the public – was improperly accessed at any time.
Data Breach Notice Sent 5/27/2022
The Joint Commission on Public Ethics (“JCOPE”) today announced that it has provided required notice to the people whose emails/usernames and passwords were contained in a file that was improperly accessed in the February cyber security incident that led to the temporary shutdown of JCOPE’s Lobbying Application (“LA”) and Online Financial Disclosure Statement (“FDS”) systems. The body of that notice letter follows.
We are writing to inform you that we have identified a security incident in which information technology systems at the Joint Commission on Public Ethics were breached. As a result, we have reason to believe that a file containing your email/username and password for the JCOPE Legacy (pre-2015) Financial Disclosure System was improperly accessed. The Legacy FDS filing system was in place to maintain annual Financial Disclosure Statements made by state employees and officials until its replacement in 2015. Once evidence of possible file access of usernames and passwords used in the Legacy system was discovered, all passwords for the current FDS filing system were reset as a precautionary measure. Nevertheless, we understand that it is common practice for individuals to use the same password across multiple websites and applications. As a result, we urge you to immediately change your password on any other sites on which this password may have been reused and to always utilize complex passwords that do not repeat across different platforms.
In addition, we strongly encourage you to examine the resources available through a number of governmental entities. The Federal Trade Commission’s (FTC) website (www.identitytheft.gov) includes comprehensive information concerning precautionary measures that may be taken to minimize risks, including contact information for major credit reporting bureaus. You may also contact the FTC by calling (202) 326-2222 or toll-free at (877) 438-4338. The New York State Attorney General’s office can also provide important information about monitoring your accounts for fraudulent activity (www.ag.ny.gov/consumer-frauds/identity-theft) and can be reached at 1-(800)-771-7755.
We understand the importance of safeguarding your information and are taking steps to minimize the future likelihood of a security incident, including ongoing system vulnerability testing, security logging and preventative measures, continued information technology systems monitoring, and other appropriate safeguards.
We apologize for the inconvenience.
Online Applications Restored 3/9/2022
The Joint Commission on Public Ethics (“JCOPE”) authorized the State Office of Information Technology Services (“ITS”) to restore the online Lobbying Application (“LA”) and Financial Disclosure Statement (“FDS”) systems on March 9, 2022. The target of this cybersecurity incident, the pre-2019 legacy online lobbying filing system, will remain offline until further notice. Data from the legacy online filing system will also not be available until further notice.
Any filings due between February 17 and March 9 will be automatically granted an extension to March 31. Additionally, the March 15 lobbying bi-monthly report deadline is also extended to March 31.
The information security officials at ITS have completed their forensic review process, which attempts to retrace the malicious activity step-by-step. Although no direct or circumstantial evidence of any unauthorized access of user data or credit card information has been found, any evidence or other indication suggesting unlawful use of user information will be handled in accordance with state cyber-security laws.
JCOPE will continue to work with other state agencies, including the Office of the Attorney General and the Department of State’s Division of Consumer Protection, to ensure that any affected users are contacted and all legal obligations are met.