Full Report
According to Rhode Island Gov. Dan McKee, the state was informed of a "major security threat" by the consulting firm Deloitte, which manages the social services platform RIBridges.
Analysis Summary
# Incident Report: Massive Data Extortion Attack on Rhode Island Benefits System (RIBridges)
## Executive Summary
A major security incident originating from an extortion attempt by a ransomware group against Deloitte, the manager of Rhode Island's critical RIBridges benefits system, resulted in the theft of data belonging to hundreds of thousands of residents. The state was forced to shut down the system after hackers provided verified evidence of exfiltrated data, leading to significant operational disruption during the health insurance open enrollment period. Response efforts are currently focused on containing the potential data leak, providing identity protection services to affected citizens, and managing essential services primarily via paper processes while investigations with federal partners continue.
## Incident Details
- Discovery Date: December 10, 2024 (Verification of stolen data) / December 13, 2024 (System shutdown due to malicious files)
- Incident Date: Began potentially around December 5, 2024 (Initial contact)
- Affected Organization: State of Rhode Island (RIBridges system managed by Deloitte)
- Sector: Government / Social Services (SNAP, Medicaid, Health Insurance)
- Geography: United States (Rhode Island)
## Timeline of Events
### Initial Access
- Date/Time: On or before December 5, 2024
- Vector: Extortion/Data Theft
- Details: Hackers contacted Deloitte, the system manager, with an extortion message claiming they had exfiltrated 1 terabyte of data from the RIBridges system.
### Lateral Movement
- Details: (Not explicitly detailed in the provided text, but implied movement occurred to exfiltrate 1 TB of data).
### Data Exfiltration/Impact
- Date/Time: Between December 5 and December 10, 2024
- Details: Hackers shared a screenshot of folders and files on December 10, which Deloitte verified as legitimate exfiltrated data. A total of 1 terabyte of data was stolen. The incident was labeled an extortion attack; systems were *not* encrypted (not a traditional ransomware deployment, but data was stolen).
### Detection & Response
- Date/Time: December 13, 2024 (Friday)
- Details: State officials discovered "malicious files" on the system potentially capable of causing damage, prompting an immediate shutdown of RIBridges. A hotline was established on Sunday, and affected residents are being notified by mail with credit monitoring offers. State police, FBI, and CISA are involved. Negotiations for the ransom are being handled solely by Deloitte, though state lawyers will consult before any payment.
## Attack Methodology
- Initial Access: Unknown specific vector, but achieved access to the third-party managed system (RIBridges).
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified, but the threat actors successfully exfiltrated data before initial detection.
- Credential Access: Inferred, as PII and banking information were stolen.
- Discovery: Attackers performed internal reconnaissance/validation (sharing screenshots of stolen files).
- Lateral Movement: Inferred component of the 1 TB data exfiltration.
- Collection: Gathered PII, dates of birth, SSNs, banking information, etc., related to social services and health coverage applicants/recipients.
- Exfiltration: 1 Terabyte of data stolen.
- Impact: Data theft/extortion threat; operational disruption requiring a system shutdown.
## Impact Assessment
- Financial: Deloitte is expected to cover the financial burden, including credit monitoring costs. The state is concerned about potential illegal access to state funds using stolen information.
- Data Breach: Hundreds of thousands of Rhode Island residents impacted. Data includes Names, Addresses, Dates of Birth, Social Security Numbers (SSNs), and Banking Information.
- Operational: Severe disruption to eligibility determination for SNAP, Medicaid, and Health Source RI. The state plans to revert to paper applications, complicating the ongoing health insurance open enrollment period (Nov 1 - Jan 31).
- Reputational: High public scrutiny evidenced by multiple press conferences and potential reevaluation of the state's contract with Deloitte.
## Indicators of Compromise
- Network indicators: [Not disclosed/Defanged]
- File indicators: "Malicious files" discovered on the system (specific hashes not provided).
- Behavioral indicators: Ransom/extortion demands received by Deloitte; verified file listings screenshot provided by threat actors. Threat actors associated: **Brain Cipher** ransomware group.
## Response Actions
- Containment measures: Immediate shutdown of the RIBridges system on December 13.
- Eradication steps: Ongoing investigation being conducted by state officials, FBI, and CISA.
- Recovery actions: Reverting impacted programs (Medicaid, SNAP) to paper applications; setting up a dedicated hotline; notifying affected residents via mail with offers for free credit monitoring.
## Lessons Learned
- Over-reliance on third-party management (Deloitte) for critical infrastructure exposes the organization to vendor-specific risks.
- Proactive discovery of malicious files following extortion attempts proved critical for immediate system shutdown.
- Initial notification of threats (Dec 5) without immediate, thorough confirmation can delay full defensive posture implementation.
## Recommendations
- Conduct an immediate and thorough audit of all systems and contracts managed by third-party vendors handling sensitive state data.
- Enhance monitoring and threat hunting capabilities across state networks, especially concerning systems managed by external entities.
- Develop and regularly test a robust operational continuity plan that allows for immediate reversion to manual/paper processes for critical benefits distribution during IT outages.
- Review and strengthen Data Loss Prevention (DLP) measures surrounding PII and SSNs within the state's service management platforms.