Applicants to New York City’s affordable housing lottery program may be victims of a data breach, a CBS News New York investigation revealed.
A recent investigation revealed that personal information from hundreds of thousands of applications—some going back years—was publicly accessible online. The exposed data included salaries, home addresses, phone numbers, and, in certain instances, Social Security numbers.
Applicants’ Personal Information Surfaced in Search Results
Imagine typing your name into a search engine and seeing your apartment application—along with all the private details you shared with a landlord—among the top search results.
That’s exactly what happened to some applicants in New York City’s affordable housing lottery program. Their applications were just a few among hundreds of thousands that were found online, fully accessible to the public.
CBS News New York Investigates received a tip via email, alerting them that a website used to internally organize apartment applications for the city’s Housing Connect lottery was showing up in search results. The site often ranked high on Microsoft Bing, Yahoo, and DuckDuckGo when someone searched for an applicant’s name.
Those results linked to other pages containing vast lists of names, phone numbers, incomes—and in some cases—even Social Security numbers.
“Is that why I’ve been getting so many scam calls?” one applicant asked.
“Of course it worries me, because it’s not only my information, it’s my family’s information,” said another.
Company Says It Has Removed Applicants’ Information
The platform displaying applicants’ personal data is operated by Reside New York, a company authorized by the city to process tenant applications for private building developers participating in the program. The city designates Reside New York and similar firms as “Qualified Marketing Agents.”
Neither the city nor Reside New York agreed to speak with us on the record. However, just hours after we contacted the company, the exposed information was no longer accessible to the public. Reside New York’s Executive Director, Sam Rosenberg, responded with the following email:
“Thank you for bringing this to our attention. We take the privacy of our applicants extremely seriously and always maintain strict data protection protocols. We are reviewing the situation to understand what occurred and to ensure appropriate safeguards remain in place. At this time, the information in question is not accessible online, and we are taking all necessary steps to protect the privacy of our applicants.”
Expert Warns Data Likely Still Accessible to Scammers
CBS News New York investigative reporter Tim McNicholas asked NYU Tandon Computer Science Professor Justin Cappos whether removing the pages meant the information was truly gone.
“Almost certainly the answer is no for things like this,” Cappos said.
He described the exposed data as a goldmine for fraudsters.
“It’s entirely possible that this information was already retrieved by malicious parties,” he explained. “If I’m an attacker or scammer, I can go and, obviously, if I call you up on the phone and say, ‘Hey, I’m from the Housing Office, I need you to give me a deposit for this apartment.’”
The city’s Department of Housing Preservation and Development (HPD), which manages the Housing Connect program, provided the following statement:
“Every day, HPD works tirelessly to ensure that all New Yorkers have access to a safe, affordable place to call home, and we know how important it is that New Yorkers have faith that when they apply, their data is secure. We have communicated to Reside that this incident is an unacceptable violation of the standards for data privacy, handling, and security that we require, and expect, from all of our Qualified Marketing Agents. They will be receiving a corrective action plan from HPD in the immediate future. We understand how frustrating this is to New Yorkers, and even though HPD was not directly at fault, HPD is taking this situation very seriously, and we are taking the necessary steps to ensure that this does not happen ever again.”
Applicants Say They’ve Received No Notification About the Breach
Out of caution that the applications may still be circulating online, we are not identifying the victims we interviewed. Many expressed frustration that, in a city where affordable housing is already scarce, one of the few available options ended up compromising their privacy.
“They should really, at the very least, show that they’re changing it moving forward,” one applicant said.
“At least they should send a letter to apologize that they did something wrong,” another added.
Applicants Still Waiting for a Response from City or Reside New York
The applicants told us they have yet to hear anything from either Reside New York or the city regarding the breach.
According to HPD, this was not a “hack” but rather a result of how the portal was configured. The agency stated it recognizes the importance of data privacy and contacted Reside New York immediately after we reached out. HPD added that it’s now reviewing additional steps to better protect affected applicants.
Interestingly, the applications did not appear in Google search results when we searched applicant names. When we asked Google why, the company said it couldn’t investigate or explain further since the links have already been taken down.
We also contacted other search engines. Only Microsoft responded, saying it had immediately removed the links from Bing upon discovering the issue.
