This Agency’s Computers Hold Secrets. Hackers Got In With One Password.

Hackers used one worker’s login information to penetrate the Law Department’s network after officials failed to implement a simple security measure.

New York City’s Law Department holds some of the city’s most closely guarded secrets: evidence of police misconduct, the identities of young children charged with serious crimes, medical records and personal data for thousands of city employees. But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network early this month was one worker’s pilfered email password, according to a city official briefed on the matter. Officials have not said how the intruder obtained the worker’s credentials, nor have they determined the scope of the attack. But the hack was enabled by the Law Department’s failure to implement a basic safeguard, known as multifactor authentication, more than two years after the city began requiring it, according to four people with knowledge of legal agency’s system and the incident.