Rhode Island Releases Details of RIBridges Hacking Investigation
The state of Rhode Island has released a summary of the findings of an investigation by the cybersecurity firm CrowdStrike into the hacking of the Rhode Island state benefit system, known as RIBridges, by the Brain Cipher threat group.
Brain Cipher members were able to gain access to 28 of the 338 environments that comprise the RIBridges system and stole sensitive data such as names, addresses, birth dates, Social Security numbers, and health information. The affected individuals had previously signed up to receive public benefits such as food stamps or private health insurance through the HealthSource RI portal. The state issued notification letters to around 657,000 individuals in January informing them that their sensitive data may have been compromised in the incident.
The forensic investigation determined that 114,879 individuals who received the notifications in January had not in fact been affected, although an additional 107,757 individuals had been affected but were not notified in January. They include approximately 30,000 individuals whose data was collected during employment checks or verifications through the child support system and the Department of Children, Youth, and Families. Notification letters are now being sent to those 107,757 individuals. The final total stands at 644,401 affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 5 years.
The investigation started on December 16, 2024, and concluded on January 31, 2025. According to state officials, Brain Cipher actors gained access to the RIBridges system through the RIBridges Virtual Private Network (VPN) using the credentials of a Deloitte employee. Deloitte is the vendor used by the state of Rhode Island to manage the RIBridges system. CrowdStrike was unable to determine how the credentials were obtained and whether multifactor authentication was bypassed or if it was in place.
Brain Cipher first accessed a non-production environment within the RIBRidges system on July 2, 2024; however, the intrusion was not detected until November 28, 2024. After authenticating with the RIBridges VPN, the threat actor performed initial reconnaissance and lateral movement from an application server to six other systems. Privileges were escalated on two systems via Image File Execution Options (IFEO) injection, and credential harvesting was performed on six systems within the RIBridges environment.
Commercially available remote monitoring and management (RMM) tools were used along with a reverse proxy tool to maintain access to the environment. During the five months of access, Brain Cipher performed data access, staging, and data exfiltration from 28 systems. Large data transfers were performed by Brain Cipher out of the RIBridges system in November.
It was not the data transfers that alerted Deloitte to the hack, but rather a post on the Brain Cipher data leak site on December 4, 2024, claiming data had been stolen. Deloitte investigated the claim and identified suspicious activity, although it took until December 13, 2024, for the breach of the RIBridges system to be confirmed. When it was confirmed that the RIBridges systems had been compromised, it was shut down and remained offline for around a month. No evidence was found of any ransomware on the system.
According to the Crowdstrike investigation, the RIBridges firewall denied traffic from an external cloud storage provider IP address to an internal IP address on September 10, 2024, and between November 11, 2024 and November 28, 2024, the firewall management portal generated 397 alerts from 15 systems about large data transfers to an external cloud storage provider. “Deloitte missed some issues that we certainly hold them responsible for,” said state Governor Dan McKee. “That this would be undetected for that period of time is something that is just unacceptable.” Governor McKee confirmed that the state will be pursuing all avenues in our efforts to ensure accountability and is considering legal action against Deloitte.
The state plans to choose a vendor to modernize the RIBridges system, but it is likely to take between 18 and 24 months to roll out the new system. In the meantime, Deloitte will continue to manage the RIBridges system. The state is also planning on increasing the size of its IT workforce and has requested the budget for an additional 15 hires, including an RIBridges Technical Lead.
February 5, 2025: Deloitte to Pay $5 Million to Rhode Island to Cover Ransomware Attack Expenses
Rhode Island Governor Dan McKee has announced that Deloitte has agreed to pay $5 million to the state of Rhode Island to cover expenses incurred as a result of a December 2024 ransomware attack. The ransomware attack caused a prolonged outage of the state’s RI Bridges system, which is used to manage eligibility for public benefits, including programs such as Medicaid, SNAP, HealthSource RI, and RI Works.
The cyberattack was detected on December 5, 2024, and resulted in the prolonged outage of the RI Bridges system. The personal information of more than 650,000 Rhode Islanders was stolen in the attack, and the data was added to the ransomware group’s data leak site when the ransom was not paid. Information stolen and published included names, contact information, employment details, and Social Security numbers.
For around 2 months, the outage of the RI Bridges system prevented approximately 2,000 Rhode Islanders from enrolling in state-paid healthcare coverage by Blue Cross & Blue Shield and Neighborhood Health. Lindsay Musser Hough, Principal at Deloitte Consulting, said the commitment to pay $5 million to the state was not an admission of wrongdoing or fault and is being provided “in the spirit of supporting the state and its constituents in their response to the bad actor’s cyberattack.” Announcing the payment, Governor McKee said, “Deloitte has recognized that the state has immediate and unexpected expenses related to the breach, and we appreciate their willingness to lend financial support.”
Deloitte has also paid for credit monitoring and identity theft protection services for the 650,000+ individuals who had their data stolen in the ransomware attack, and is also covering the cost of the data breach call center.
January 13, 2025: Rhode Island Starts Notifying Individuals Affected by RI Bridges Ransomware Attack
Rhode Island Governor Dan McKee has confirmed that individual notification letters started to be mailed to the individuals whose personal data was stolen in the December 2024 ransomware attack on the RI Bridges system on January 10, 2025. Individuals affected by the incident have been offered 5 years of complimentary credit monitoring services through Experian and are being encouraged to take advantage of those services as soon as possible. The deadline for signing up for those free services is April 30, 2025.
The notification letters provide instructions for signing up for the credit monitoring services, including a required activation code. State residents can sign up for the credit monitoring services online or over the phone (833-918-6603). The phone lines are manned Monday through Friday from 9 a.m. to 9 p.m., and on weekends from 11 a.m. to 8 p.m.
The data breach is still being investigated by Deloitte and more individuals may have been affected than the initial review suggests. In such cases, notification letters will be promptly sent to those individuals. “We understand the concerns this breach has caused for our residents,” said Governor McKee. “We appreciate everyone’s patience as these letters are delivered.” State officials are confident that the source of the intrusion has been identified and steps have been taken to ensure the RI Bridges systems can be safely restored. The first phase of that process has been completed and the second phase is underway to restore the public-facing part of the system, which is expected to be brought back online in mid-January.
The state has yet to confirm exactly how many individuals have been affected but has previously indicated approximately 650,000 state residents had their personal data exposed or stolen in the ransomware attack.
December 31, 2025: Ransomware Group Behind RI Bridges Attack Starts Leaking Stolen Data
The ransomware group (Brain Cipher) behind the cyberattack on Rhode Island’s online health and human services platform has started to leak stolen files on the dark web, according to State Governor Daniel McKee. Deloitte has been monitoring the dark web and informed the state Attorney General about the data leak.
The Brain Cipher group promised to leak the stolen data if the ransom was not paid, and the data leak indicates the ransom has not been paid. Brain Ciper allegedly demanded a ransom payment of $23 million in cryptocurrency to prevent the stolen data from being leaked. “This is a scenario that the State has been preparing for, which is why earlier this month we launched a statewide outreach strategy to encourage potentially impacted Rhode Islanders to protect their personal information,” said AG McKee.
McKee said Deloitte is investigating and reviewing the impacted files to determine which individuals have been affected and is also looking to analyze the leaked data; however, the analysis of the leaked data has not yet been completed. The HIPAA Journal has been periodically monitoring the Brain Cipher dark web data leak site to determine if data has been released. The site has been largely inaccessible, which will limit the potential for unauthorized individuals to obtain the leaked data.
Dissent from databreaches.net reached out to the Brain Cipher group after receiving no response from Deloitte. The group confirmed they were behind the attack and provided a preview of the data they would be leaking, and said they have been experiencing a DDoS attack on their data leak site, indicating someone is trying to prevent the group from leaking the data. The identity of the third party or third parties is unknown.
December 27, 2024: Rhode Island Ransomware Attack May Affect Half of State Residents
The cyberattack that forced the shutdown of Rhode Island’s public benefits system (RI Bridges) has potentially exposed the personal data of more than half of the population of the state – approximately 650,000 individuals, according to state Governor Daniel McKee.
McKee said conversations between Deloitte and the Brain Cipher group are ongoing, he is being kept informed of any progress, and no sensitive data appears to have been publicly released so far. He did not provide any information about how much the attackers are demanding to prevent the release of the stolen data, or if there is any intention to pay the ransom. Deloitte is working on restoring the crippled RI Bridges system as soon as possible, although it is not expected to be brought back online until some point in January.
December 17, 2024: Brain Cipher Group Claims Responsibility for Rhode Island Ransomware Attack
The Brain Cipher ransomware group has claimed responsibility for the Rhode Island RI Bridges ransomware attack and is threatening to publish the stolen data if the ransom demand is not paid. Brain Cipher is a relatively new ransomware operation that first appeared in June 2024. The group has already conducted some major attacks, including an attack on the National Data Center in Indonesia, which disrupted operations at more than 200 government agencies and saw the group demand a $8 million ransom payment. The group engages in double extortion and maintains a data leak site where stolen data is published if the ransom is not paid.
Brain Cipher claimed responsibility for a ransomware attack earlier this month and added Deloitte to its data leak site. Deloitte has issued a statement confirming that only the RI Bridges system was affected by the ransomware attack. The Deloitte listing on the Brain Cipher data leak site has a countdown clock that indicated the data leak would occur on December 17, 2024, if the ransom was not paid; however, on December 19, 2024, the countdown clock was still ticking down and showed 13 hours remaining, after having been reset. The ransomware group appears to still be holding out for a ransom payment.
On December 16, 2024, State Governor Daniel McKee issued a public service announcement encouraging all state residents who have used any of the affected systems in the past to take immediate action to protect themselves against identity theft and fraud. The RI Bridges hack will almost certainly lead to attempted data misuse by cyber criminals if the ransomware group releases the stolen data.
December 15, 2024: Hundreds of Thousands of Rhode Island Residents Affected by RI Bridges Data Breach
Hundreds of thousands of Rhode Island residents have had their data stolen in a cyberattack on the state government’s RI Bridges system, an online portal used by state residents to obtain social services and health insurance. Vendor Deloitte identified a potential RI Bridges system breach on December 5, 2024, and after confirming the unauthorized access, the portal was shut down on December 13 as a precaution. Deloitte has been working with state officials, IT experts, and law enforcement to investigate the cyberattack and data breach and limit its impact.
While the cyberattack was not initially described as a ransomware attack, Rhode Island’s Chief Digital Officer, Brian Tardiff, confirmed that a threat actor had installed malware and issued a ransom demand, payment of which was required to prevent the publication of the stolen data. It has yet to be confirmed how many individuals have been affected or the exact types of data stolen in the attack. Deloitte said it is still evaluating the data theft incident and said it is likely that information such as names, addresses, dates of birth, Social Security numbers, and potentially bank account information was involved.
Any individuals who applied for or received benefits or health insurance through the RI Bridges system may have been affected. The programs and benefits managed through the RI Bridges system include ,but are not limited to:
- Medicaid
- Supplemental Nutrition Assistance Program (SNAP)
- Temporary Assistance for Needy Families (TANF)
- Child Care Assistance Program (CCAP)
- Health insurance purchased through HealthSource RI
- Rhode Island Works (RIW),
- Long-Term Services and Supports (LTSS)
- General Public Assistance (GPA) Program
Rhode Island Governor Daniel McKee confirmed on Friday that the number of Rhode Islanders potentially affected was in the hundreds of thousands. Individual notifications will be mailed to all individuals affected by the Rhode Island data breach when the data breach investigation is concluded. Due to the sensitivity of the data stolen in the ransomware attack, anyone who applied for or obtained benefits or health insurance through any of the above programs should be vigilant against identity theft and fraud, monitor the accounts closely, and take advantage of any available free credit monitoring services. They have also been advised to consider placing a credit freeze or fraud alert with one of the three main credit bureaus and to change any common or reused passwords. State officials have not detected any misuse of the impacted data so far. The hackers are still holding out for a ransom payment and are likely to release the stolen data in the coming week if the ransom is not paid. The state has set up a helpline for state residents to find out more about the Rhode Island data breach. The helpline – 833-918-6603 – will be added Mondays through Fridays from 9 a.m. to 9 p.m.
