Full Report
Dysruption Hub reports: Puerto Rico officials say a Thanksgiving-week cyberattack on IT contractor Truenorth Corporation briefly disrupted systems at three major agencies but did not compromise citizen data, even as independent reporting describes a broader ransomware incident. Truenorth Corporation, an IT services firm that runs key systems for multiple Puerto Rico government agencies, was the... Source
Analysis Summary
# Incident Report: Ransomware Attack on Puerto Rico IT Vendor Truenorth
## Executive Summary
In Thanksgiving week 2025, Truenorth Corporation, an IT contractor supporting multiple Puerto Rican government agencies, was hit by a ransomware attack. This incident briefly disrupted services at three major agencies: the Department of Education, the Puerto Rico Health Insurance Administration (ASES), and the State Insurance Fund Corporation (CFSE). While officials claim citizen data was not compromised, independent reporting suggests a broader ransomware incident occurred.
## Incident Details
- **Discovery Date:** Tuesday, November 25, 2025 (Detection of ransomware)
- **Incident Date:** Beginning Tuesday, November 25, 2025 (Thanksgiving week)
- **Affected Organization:** Truenorth Corporation (Primary target); Department of Education, ASES, CFSE (Affected clients)
- **Sector:** Government/IT Services
- **Geography:** Puerto Rico, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Tuesday, November 25, 2025
- **Vector:** Undisclosed, but categorized as a **Ransomware Attack**.
- **Details:** The incident began when a ransomware attack was detected against Truenorth Corporation.
### Lateral Movement
- **Details:** The attack quickly rippled from Truenorth into key systems utilized by the client agencies (CFSE, ASES, and Education).
### Data Exfiltration/Impact
- **Details:** Systems at three major agencies experienced brief disruption. Officials stated citizen data was **not compromised**. Independent reporting describes the incident as a broader ransomware incident, implying potential data impact beyond official statements.
### Detection & Response
- **Detection:** Ransomware activity was detected on November 25th.
- **Response Actions:** Not detailed in the source material, but incident management protocols related to government service continuity were initiated.
## Attack Methodology
*Note: Specific technical details are sparse in the source; this reflects available information.*
- **Initial Access:** Ransomware deployment (Method undisclosed).
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown, but sufficient to impact multiple client systems.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Through interconnected systems used by client agencies.
- **Collection:** Unknown (Ransomware-class activity often includes reconnaissance/collection).
- **Exfiltration:** Unknown (Ransomware incidents frequently include extortion based on exfiltration).
- **Impact:** System disruption/disruption of government services.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Officials claim **No citizen data compromised**. Scope of potential data loss to Truenorth or other clients is unclear.
- **Operational:** Brief disruption to services at the Department of Education, ASES, and CFSE.
- **Reputational:** Public disclosure likely impacted trust in government IT service providers. (Note: The State Elections Commission, another contract holder, was reportedly **not affected**).
## Indicators of Compromise
- *No specific IoCs (IPs, Domains, File Hashes) were provided in the source material.*
## Response Actions
- Containment, Eradication, and Recovery actions were initiated by Truenorth and government entities to restore services at the affected agencies. Specific technical actions are undocumented in the provided text.
## Lessons Learned
- Reliance on a single IT contractor (Truenorth holds contracts with about 14 agencies) creates a significant single point of failure for critical government functions.
- The discrepancy between official statements ("no compromise") and independent reporting ("broader ransomware incident") highlights challenges in accurate and timely disclosure during a crisis.
## Recommendations
- Conduct thorough third-party risk assessments across all critical IT vendors serving government infrastructure.
- Mandate or implement segmentations between systems belonging to different client agencies, even when managed by the same vendor, to limit blast radius.
- Establish transparent and redundant communication channels separate from standard IT infrastructure for incident reporting and updates.