New York Business Council Breach Exposes Data of 47,329 People

Two-day February intrusion leaked financial and medical details; group begins notifications and offers credit monitoring as regulators are alerted.

The Business Council of New York State disclosed a February cyberattack that exposed data on 47,329 people, including Social Security numbers, bank and card details, and some medical information. The statewide employer association said it contained the incident, notified authorities, and began mailing notices with credit-monitoring offers after confirming the scope on Aug. 4.

ALBANY, N.Y. — The Business Council of New York State (BCNYS) said a cyberattack between Feb. 24–25, 2025 gave an unauthorized party access to internal systems and files affecting 47,329 individuals, exposing highly sensitive personal, financial, and some protected health information. The organization began notifying affected people on Aug. 15 and is providing credit monitoring.

BCNYS completed its investigation on Aug. 4, concluding that the attackers accessed or acquired files containing combinations of names, Social Security numbers, dates of birth, state ID numbers, bank and routing numbers, payment card numbers, PINs and expiration dates, taxpayer identification numbers, electronic signature data, and in some cases diagnoses, prescriptions, treatments, procedures, and health insurance information. “We have no evidence of financial or medical fraud or identity theft related to this incident,” the organization said in its formal notice.

The council, which represents more than 3,000 organizations employing over 1.2 million New Yorkers, said it contained the incident and engaged outside forensics experts after detecting the intrusion. “An unauthorized party gained access to a limited number of internal systems from approximately February 24 to February 25, 2025,” BCNYS wrote in notices filed with state regulators.

The Record, which first reported the scale and breadth of the exposed data, said notifications are being made in multiple states as required by law.

“An unauthorized party gained access to a limited number of internal systems from approximately February 24, 2025 to February 25, 2025,” BCNYS said, noting it immediately contained the activity and launched a forensic investigation.

“To date, we have no evidence of financial or medical fraud or identity theft related to this incident,” the council added, while urging vigilance and offering complimentary credit monitoring to those whose Social Security numbers were impacted.

“Get a fraud alert or security freeze, monitor financial and medical statements, and consider an IRS Identity Protection PIN where appropriate,” the notices advise recipients, emphasizing steps to mitigate identity and medical fraud.

Technical Analysis

Timeline & scope: Forensic review indicates a two-day dwell time (Feb. 24–25) with exfiltration of stored files confirmed on Aug. 4. The data types point to compromise of file repositories or application data exports used for membership administration, benefits programs, and payments—rather than credential vaults. BCNYS has not publicly identified the initial access vector or threat actor.

Risk profile: The mix of PII + financial + medical records raises multi-vector fraud risks (new-account fraud, ACH fraud, tax refund fraud, and medical identity theft). Exposure of electronic signature information and taxpayer IDs further increases downstream abuse potential.

Mitigations in motion: BCNYS reports network containment, third-party forensics, and ongoing hardening of internal controls. Notices include credit monitoring and consumer protection steps consistent with state breach-notification guidance.

Impact & Response

Who is affected: 47,329 individuals across several states, including at least 17 Rhode Island residents, according to regulator notices.

What BCNYS is doing: Rolling notifications by mail, a dedicated call center, and free credit monitoring (IDX) for impacted individuals; continued cooperation with authorities and security enhancements.

What people should do now: Place fraud alerts or freezes, monitor bank and card statements, review Explanation of Benefits for suspicious medical claims, and consider IRS IP PINs to prevent tax-refund fraud.

The council advocates for business interests in Albany and runs programs—including group insurance—for members statewide. Recent months have seen a steady cadence of U.S. nonprofit and association breaches where membership, benefits, and payments data are centralized in limited internal systems—attractive targets for data-theft monetization.

The BCNYS breach underscores a persistent exposure for associations and nonprofits: high-value data concentration in small IT estates. With a short intrusion window but broad data impact, the incident highlights the need for continuous monitoring, segmented data stores, least-privilege vendor access, and rapid exfiltration detection—alongside consumer-grade remedies that blunt identity and medical fraud.

Sources:

• The Record: “Business Council of New York State says nearly 50,000 had data leaked in February cyberattack.” The Record from Recorded Future
• BCNYS “Notice of Data Security Incident” (updated Aug. 15, 2025). bcnys.org
• Massachusetts AG filing / notification letter (Aug. 15, 2025).