Full Report
The State of Rhode Island has confirmed that cybercriminals have begun publishing data stolen from its social services portal, the RIBridges system
Analysis Summary
# Incident Report: Rhode Island Citizen PII Leak via Vendor Compromise
## Executive Summary
Cybercriminals, identified as the Brain Cipher ransomware group, compromised data stored on the RIBridges social services portal managed by Deloitte, resulting in the exfiltration of Rhode Island citizens' Personally Identifiable Information (PII). The data began appearing on the dark web in late December 2024. The primary response involves forensic analysis, informing affected individuals, and keeping the portal offline while urging citizens to take preemptive measures against fraud.
## Incident Details
- Discovery Date: December 2024 (When Deloitte informed the state of likely compromise) / December 30, 2024 (When publication on dark web was confirmed)
- Incident Date: Early December 2024 (Claimed breach by Brain Cipher)
- Affected Organization: State of Rhode Island (Specifically, data handled by vendor Deloitte)
- Sector: Government/Social Services
- Geography: Rhode Island, USA
## Timeline of Events
### Initial Access
- Date/Time: Early December 2024
- Vector: Compromise of vendor system (Deloitte's environment hosting the RIBridges system)
- Details: Ransomware group Brain Cipher claimed to have breached Deloitte and stolen 1TB of compressed data related to a single client system (Rhode Island's RIBridges portal). Deloitte stated the compromised system sits outside their main network.
### Lateral Movement
- **Details:** Not explicitly detailed in the source regarding movement *within* the state network, but the initial access targeted the system holding PII associated with health coverage and human services programs.
### Data Exfiltration/Impact
- **Details:** Personally Identifiable Information (PII) belonging to Rhode Island citizens who received or applied for health coverage and/or health and human services program benefits was stolen. This data was published on the dark web by December 30, 2024.
### Detection & Response
- **How it was discovered:** Detected when the vendor (Deloitte) informed the State of Rhode Island about the likely PII compromise in December 2024.
- **Response actions taken:** IT teams began analyzing released files; the RIBridges web portal was taken offline; the state is working with Deloitte to identify and inform impacted individuals.
## Attack Methodology
- **Initial Access:** Allegedly via exploitation targeting Deloitte's processing environment related to the RIBridges system.
- **Persistence:** Not specified, but likely established persistence on the compromised system before exfiltration.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified, but successful in exfiltrating 1TB of data.
- **Credential Access:** Not specified, but necessary to access and exfiltrate PII.
- **Discovery:** Not specified, likely internal reconnaissance on the compromised system.
- **Lateral Movement:** Not specified.
- **Collection:** Gathering PII from the RIBridges system.
- **Exfiltration:** Publication of stolen data on the dark web hosted on a TOR-based site.
- **Impact:** Public disclosure/leak of PII, potential for identity theft and social engineering against citizens.
## Impact Assessment
- **Financial:** Not estimated, but costs will include remediation, notification, and potential liability associated with the breach.
- **Data Breach:** PII of Rhode Island citizens who used the social services portal (health coverage/human services beneficiaries) was compromised and released publicly.
- **Operational:** The RIBridges web portal remains offline during the investigation.
- **Reputational:** Significant reputational damage to both the State of Rhode Island and the vendor, Deloitte.
## Indicators of Compromise
- **Network indicators:** TOR-based data leak site used by Brain Cipher (Defanged: `hxxp://[TOR_SITE_ADDRESS_FOR_BRAIN_CIPHER]`)
- **File indicators:** Large volume of data (1TB compressed) reportedly stolen.
- **Behavioral indicators:** Ransomware group Brain Cipher activity; multi-pronged extortion attempt.
## Response Actions
- **Containment measures:** The RIBridges web portal has been taken offline.
- **Eradication steps:** Ongoing analysis of released files is underway by IT teams.
- **Recovery actions:** Identifying and notifying all impacted individuals; state is working with Deloitte to manage the incident.
## Lessons Learned
- Reliance on third-party vendors (Deloitte) introduces supply chain risk to sensitive citizen data systems.
- The threat actors (Brain Cipher) demonstrated persistence in publishing data despite the deadline passing or the ransom demand not being met.
- The state was prepared for data compromise scenarios, indicating pre-existing incident response planning.
## Recommendations
- Conduct thorough security auditing and segmentation checks on all vendor environments processing sensitive PII, ensuring boundaries between vendor networks and client systems are strictly enforced.
- Enhance monitoring around identified critical data repositories (like the RIBridges system data).
- Proactively communicate protective measures to citizens (e.g., credit monitoring, fraud alerts).