Hundreds of thousands of New York City’s affordable housing lottery applicants have been ensnared in a significant data breach, exposing highly sensitive personal information online. A recent investigation by CBS News New York brought to light this alarming privacy violation, revealing that detailed applications, some dating back years, were publicly accessible on the internet.

The exposed data included critical personal identifiers such as salaries, home addresses, phone numbers, and in some egregious cases, even Social Security numbers. This level of exposure means that for many hopeful applicants, their most intimate financial and residential details were just a search query away, accessible to anyone with an internet connection.

The root of the problem lay with a website used internally to manage applications for the city’s Housing Connect lottery program. This platform, inadvertently configured for public indexing, was prominently appearing in search results on engines like Microsoft Bing, Yahoo, and DuckDuckGo when individuals searched for applicants’ names, turning a private process into a public record.

This critical online platform is under the management of Reside New York, a company approved by the city to act as a “Qualified Marketing Agent.” These agents are entrusted with reviewing tenant applications on behalf of private building developers within the Housing Connect initiative, underscoring the severe implications of the platform’s misconfiguration.

Swift action followed the revelation. Hours after CBS News New York contacted Reside New York, the exposed personal information was reportedly taken offline. Reside New York’s Executive Director, Sam Rosenberg, issued a statement acknowledging the issue and emphasizing their commitment to data protection, assuring that necessary steps were being taken to safeguard applicant privacy.

However, cybersecurity experts warn that simply taking the information offline does not erase the potential for harm. NYU Tandon Computer Science Professor Justin Cappos highlighted the possibility that malicious parties may have already retrieved the data. This means applicants remain vulnerable to scams, identity theft, or other forms of exploitation, as criminals could leverage the exposed details to pose as housing officials or other authorities.

The city’s Housing Preservation and Development Department (HPD), which oversees the Housing Connect program, clarified that the incident was not a “hack” but rather a misconfiguration of the portal. HPD stated that they understand the gravity of data privacy and immediately alerted Reside New York upon learning of the issue, initiating further investigations into protective measures for the affected applicants.

For the victims, the breach is a profound source of frustration and anxiety. In a city where finding affordable housing is already a formidable challenge, the very system designed to assist them inadvertently compromised their privacy, adding an unexpected layer of distress to their lives and underscoring the critical need for robust online security protocols in sensitive public programs.