Applicants to New York City’s affordable housing lottery program may be victims of a data breach, a CBS News New York investigation revealed.
Hundreds of thousands of applications dating back years were publicly viewable online, including salaries, home addresses, phone numbers and, in some cases, Social Security numbers.
Applicants’ info appeared in search results
Imagine someone typing your name into a search engine and one of the top results is your apartment application and the private details you sent the landlord.
That’s what happened to the New York City affordable housing lottery applicants we spoke with. Their applications were among hundreds of thousands that we discovered online – publicly viewable.
An email to the CBS News New York investigates tipline informed us that a website used to internally sort applications for apartments in the city’s Housing Connect lottery program was popping up in search results. It often appeared as one of the top results in Microsoft Bing, Yahoo and Duck Duck Go when searching applicants’ names.
Those links included links to other pages with hundreds of thousands of applicants’ names, numbers and incomes. Some pages even included Social Security numbers.
“Is that why I’ve been getting so many scam calls?” one applicant wondered.
“Of course it worries me, because it’s not only my information, it’s my family’s information,” said another.
Company says applicants’ information has been pulled
That online platform is managed by Reside New York, one of the companies the city approved to review tenant applications on behalf of private building developers in the program. The city refers to Reside New York and other approved companies as “Qualified Marketing Agents.”
Neither the city nor Reside New York agreed to interviews with us, but hours after we reached out to the company, we discovered the information was no longer publicly viewable. Reside New York’s Executive Director Sam Rosenberg sent us the following email:
“Thank you for bringing this to our attention. We take the privacy of our applicants extremely seriously and always maintain strict data protection protocols. We are reviewing the situation to understand what occurred and to ensure appropriate safeguards remain in place. At this time, the information in question is not accessible online, and we are taking all necessary steps to protect the privacy of our applicants.”
CBS News New York’s investigative reporter Tim McNicholas asked NYU Tandon Computer Science Professor Justin Cappos if that means the information is gone.
“Almost certainly the answer is no for things like this,” Cappos explained.
He called it a goldmine for fraudsters.
“It’s entirely possible that this information was already retrieved by malicious parties,” said Cappos, adding, “If I’m an attacker or scammer, I can go and, obviously, if I call you up on the phone and say, ‘Hey, I’m from the Housing Office, I need you to give me a deposit for this apartment.'”
The city’s Housing Preservation and Development Department, or HPD, which oversees the Housing Connect program, sent us the following statement:
“Every day, HPD works tirelessly to ensure that all New Yorkers have access to a safe, affordable place to call home, and we know how important it is that New Yorkers have faith that when they apply, their data is secure. We have communicated to Reside that this incident is an unacceptable violation of the standards for data privacy, handling, and security that we require, and expect, from all of our Qualified Marketing Agents. They will be receiving a corrective action plan from HPD in the immediate future. We understand how frustrating this is to New Yorkers, and even though HPD was not directly at fault, HPD is taking this situation very seriously, and we are taking the necessary steps to ensure that this does not happen ever again.”
Applicants say they haven’t been contacted about the breach
In case there’s any chance the applications are still out there, we are not naming the victims we spoke with. They say they are frustrated that, in a city where affordable housing is so hard to find, one of the few options caused an invasion of their privacy.
“They should really, at the very least, show that they’re changing it moving forward,” one applicant said.
“At least they should send a letter to apologize that they did something wrong,” said another.
Those applicants said they haven’t heard anything about this from either Reside New York or the city.
HPD said this was not a “hack,” and the information was viewable because of the way the portal was configured. The agency also said it understands the importance of data privacy and alerted Reside New York as soon as we reached out, and they are now looking into what else can be done to protect the affected applicants.
The applications didn’t appear in Google’s search results when we used Google to search applicant names. We asked Google why that it is, but it said it can’t explain or investigate because the links are gone now.
We also reached out to the other sites, and only Microsoft responded, saying it immediately removed the results from Bing when it discovered the issue.
Do you have a story that needs investigating? Let us know.