The Hive ransomware operation claimed responsibility for an attack on the New York Racing Association (NYRA), which previously disclosed that a cyber attack on June 30, 2022, impacted IT operations and website availability and compromised member data.
NYRA is the operator of the three largest thoroughbred horse racing tracks in New York, namely the Aqueduct Racetrack, the Belmont Park, and the Saratoga Race Course.
According to the security breach notifications sent to impacted individuals late last month and shared with the authorities last week, the threat actors may have exfiltrated the following member information:
- Social security numbers (SSNs)
- Driver’s license identification numbers
- Health records
- Health insurance information
The data breach notifications also include details on how to enroll for a 24-month long identity protection service through Experian, the cost for which is covered by NYRA.
Additionally, the letter recipients should consider placing a credit freeze or ordering credit reports frequently and reviewing them carefully.
BleepingComputer has reached out to NYRA for more details on the incident, but we have not received a response yet.
From what seems to be the case, horse racing hasn’t been impacted by the incident because there have been no changes in the calendar, and race betting continues as usual.
However, the association’s website remains out of reach, which sends the message that the effects of the attack haven’t been wholly mitigated yet.
Hive takes responsibility
Yesterday, the Hive ransomware gang took responsibility for the attack on NYRA by listing them as a victim on their extortion site.
The hackers have also published a link to freely download a ZIP archive containing all of the files they allegedly stole from NYRA’s systems, so we can only assume that negotiations for a ransom payment have reached a dead end.
Hive is currently among the most active high-tier ransomware gangs, recently hitting Bell Canada and the Damart clothing store chain, while announcing several more victims that haven’t publicly admitted a security incident.