PROVIDENCE – The hacking group Brain Cipher first infiltrated the RI Bridges system on July 2 via a Deloitte employee’s VPN account, months before the breach was identified, according to findings of an investigation by cybersecurity firm CrowdStrike and released Thursday by the administration of Gov. Daniel J. McKee.
An executive summary states “The method of credential acquisition remains unclear” but the firm found no evidence of ransomware used within RIBridges – managed by Deloitte Consulting LLP – or other state systems.
Chief Information Security Officer Brian Tardiff said more than 8.5 million files were involved in the investigation; and, that additional notification letters will be sent to those whose personal data may have been compromised.
Asked if the state agreed to any financial demands made by Brain Cipher, officials said they were advised by state and federal authorities not to pay any ransom to the group, which released a portion of stolen data on the dark web in January, where it remains today.
The forensic analysis concluded that the breach compromised the personal information of more than 644,000 individuals, with stolen data including Social Security numbers, bank account details, and health insurance information from HealthSource RI, as well as eligibility for various state social service programs, including Medicaid and child care services. An additional 107,757 names were identified, though some were not RIBridges customers but people whose files were shared with federal agencies for verification purposes.
The system's portal was taken offline on Dec. 13 as a precaution.
The July 2 breech was followed by "reconnaissance and lateral movement" on July 3. On July 4, the group executed credential harvesting across six systems within RIBridges and maintained remote access through unidentified “commercially available remote monitoring and management tools," according to the report.
Between July 3 and Nov. 28, the group accessed data from 28 systems, “with numerous alerts” indicating large outbound transfers to an external cloud service. The most recent activity was recorded on Nov. 28, 2024, before the hackers disconnected from a remote desktop session using a privileged account.
The summary concludes that there was no evidence to suggest that the hackers “maintained a persistent presence in the RIBridges system
In January, Fitch Ratings stated that it does not expect any immediate impact on Rhode Island's “AA” bond rating, provided the breach was contained.
Deloitte agreed to pay the state $5 million for expenses related to the breech.
McKee said Deloitte declined to attend the Thursday briefing and that the administration is still pursuing available options and “avenues to ensure accountability.”
“This series of events and risks placed on the public are unacceptable,” he said.
The administration is preparing a Request for Proposals for the next vendor to manage the RI Bridges system, expected to be released within the next 18 months.
“We are going to be moving to another system,” he said. “And we will select the vendor who is most appropriate.”
(UPDATE: More comment and detail added from press conference.)
Christopher Allen is a PBN staff writer. You may contact him at Allen@PBN.com.
