New York Faces Surge in Cyberattacks, Data Breaches in 2025
New York State has experienced a significant increase in cyberattacks and data breaches targeting both public and private sectors in the first half of 2025, raising concerns about the security of sensitive data for millions of residents.
Between January and March of this year, several high-profile incidents exposed the personal information of hundreds of thousands of New Yorkers. A data breach at the New York Blood Center in January compromised the data of nearly 200,000 individuals. February saw hackers infiltrate the Business Council of New York State’s systems, stealing data – including Social Security numbers and bank account information – belonging to 47,000 people, with the breach going undetected for 160 days. Most recently, in March, Attorney General Letitia James filed a lawsuit against Allstate and National General alleging cybersecurity lapses led to the theft of driver’s license numbers for over 165,000 New Yorkers. This wave of attacks underscores the growing vulnerability of critical infrastructure and personal data in the digital age.
The Empire State’s position as a major financial hub, home to institutions like the New York Stock Exchange and numerous global banks, makes it a prime target for cybercriminals, both foreign and domestic. The state also boasts leading universities such as New York University and world-class hospitals like Mount Sinai, all of which manage vast amounts of sensitive data. Former New York Attorney General Dennis Vacco noted that while security measures like the 2019 SHIELD Act and recent legislation extending reporting requirements are necessary, they are not sufficient to address the underlying risks within IT infrastructure. He argued for increased oversight of cloud and data platforms, including audit rights and data sovereignty protections, as well as state-level trusted vendor mandates.
Vacco also emphasized the need for sensible federal policies, citing the Justice Department’s recent approval of the Hewlett Packard Enterprise acquisition of Juniper as a positive step toward competing with Chinese firms that pose significant cybersecurity threats. He stated, “We must remain vigilant and treat foreign cyber adversaries the same way we treat all fraudsters, scammers, and other bad actors — stop them before they inflict harm.” State officials are now considering the creation of a Digital Resilience Authority to coordinate threat sharing and bolster cybersecurity investments across the state.
