Long Island venture capital firm Topspin Partners hacked

A Roslyn Heights venture capital firm was the victim of a cybersecurity breach that compromised data, including Social Security numbers, according to a government filing.

The firm, Topspin Partners, has backed Long Island startups, including Codagenix Inc., a Farmingdale-based synthetic biology company that is testing a COVID-19 vaccine administered through the nose in a World Health Organization trial.

Topspin Consumer Partners in Mamaroneck, an affiliate of Topspin Partners, earlier this month announced that tennis star Venus Williams was joining the firm as an operating partner.

Leigh Randall, managing partner of Topspin Consumer Partners, said that the firm was untouched by the online attack.

“Topspin Consumer Partners did not have any breach at all,” he said.

Leo Guthart, who co-founded Long Island’s Topspin Partners 23 years ago and serves as its managing partner, said legal advisers constrained him from discussing the online intrusion into the firm, which is no longer making new investments.

Topspin Partners reported the cybersecurity breach to the Massachusetts Office of Consumer Affairs and Business Regulation on March 12. Massachusetts requires organizations to notify consumers whose information might be at risk.

Unlike many states, Massachusetts also publishes reports, viewable by the public, detailing those data break-ins, including whether Social Security numbers have been compromised.

A letter from Topspin Partners said it had retained legal counsel and a cybersecurity firm to investigate the attack.

New York State law requires enterprises to notify affected state residents, the state Attorney General’s office, the State Police and the Department of State's Division of Consumer Protection. Data breaches generally are not disclosed to the public. It was unclear how many New Yorkers were affected. 

In 2021, at least two other venture capital firms, Sequoia Capital, based in Menlo Park, California, and Advanced Technology Ventures, based in Boston and Menlo Park, said they were hacked.

Sequoia said it was a victim of a phishing attack, a cyber intrusion in which  hackers gain entry to systems by sending fraudulent emails or text messages.

Advanced Technology Ventures told officials that hackers launched a ransomware attack on its servers. Data exposed was believed to include names, email addresses, phone numbers, and Social Security numbers of investors, the VC firm told regulators.

Personal information about investors, often wealthy individuals, typically is closely guarded by venture capital firms.

Hackers can dwell in networks “for weeks to months before they are detected,” said Steve Morgan, founder of Northport-based Cybersecurity Ventures, publisher of Cybercrime Magazine.

Morgan said some companies may learn of an intrusion, but pretend that they are unaware, in the hope that the perpetrators will leave evidence for investigators.

Still, he said, victims want to be alerted promptly.

“Any customer of any business wants to know their risk exposure to a breach immediately upon a company learning about it,” Morgan said.

All 50 states plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses to report data breaches, he said.

Attackers demanded a $2.5 million ransomware payment after a September attack on Suffolk County’s online system. The county refused to pay, but some of its online services were crippled for months afterward.

By Ken Schachter

kenneth.schachter@newsday.comkschach

Ken Schachter covers corporate news, including technology and aerospace, and other business topics for Newsday. He has also worked at The Miami Herald and The Jerusalem Post.