The city Department of Finance inadvertently emailed a roster of all of its staff — containing home addresses, cell numbers and personal email addresses — to the agency’s roughly 1,800 employees in a botched test of its emergency notification system, THE CITY has learned.
The snafu was accompanied by automated calls to agency employees that were mistakenly made around 3:30 a.m. on Wednesday, rather than at the planned time of 10 a.m. They featured a brief recording saying the calls were a test of the emergency notification system.
One Department of Finance employee, who asked THE CITY for confidentiality, said a number of workers had expressed concern about the widespread sharing of their personal information — particularly home addresses.
“We don’t know who out there has our information, how they’re going to use it and who they’re going to share it with,” the staffer said.
Associate Commissioner for Workforce Management Corinne Dickey sent an email to employees Wednesday morning letting them know the city’s Office of Technology & Innovation, as well as its Cyber Command, had been notified of the data breach.
“We are investigating this matter and working with our partners in Legal and FIT to determine the best course of action,” according to an email obtained by THE CITY.
Dickey didn’t identify the cause of the failure, instead writing that “an error occurred” in the timing of the call and that an email “was incorrectly issued to all DOF employees with a list of employee information.”
She identified the vendor that’s working on the notification system as the Massachusetts-based company, Everbridge, which describes itself as a critical incident management firm.
Asked about the incidents, Department of Finance spokesperson Ryan Lavis only addressed the pre-dawn automated phone calls. He didn’t respond when asked about the widely-shared employee information and whether it was sent to anyone outside the agency.
Everbridge spokesperson Jeff Young said there was no compromise of the firm’s platform and that the problems hadn’t been the result of a system error.
“We respect the confidentiality of our customers, and take it very seriously,” he said. “We’ll refer further questions to NYC DOF communications.”
Everbridge has an ongoing contract for over $6 million with the Office of Emergency Management to support the Notify NYC citywide mass notification system.
The incident follows at least two larger data breaches at the Department of Education, most recently in June when data concerning 45,000 students, including 9,000 social security numbers, were accessed as part of a global hack, according to Chalkbeat NY.
A month later, the DOE’s chief technology officer, Anuraag Sharma, submitted his resignation, the New York Post reported.
In January 2022, information about more than 800,000 current and former public school students was compromised in a hack, according to the New York Post.