Rhode Island governor warns residents of cyberattack on state benefits system
Hundreds of thousands of Rhode Island residents may have been impacted by a cyberattack on a crucial benefits system, the governor said.
In a press conference on Friday evening, Governor Dan McKee urged residents to take actions to protect their financial accounts and said the state had shut down RIBridges, a system that manages social services programs.
McKee told reporters that U.K. consulting firm Deloitte, which manages RIBridges, recently informed them of a “major security threat” and said those who used the system likely had names, addresses, dates of birth, Social Security numbers, banking information and other personal information stolen by hackers.
RIBridges is used to determine eligibility for programs and benefits like Supplemental Nutrition Assistance Program (SNAP), Medicaid and cash assistance as well as affordable health coverage options offered through Health Source Rhode Island.
According to a state cybersecurity official, Deloitte initially warned the government on December 5 that they had received an extortion message from hackers claiming to have stolen 1 terabyte of data but investigations by state officials and Deloitte found no indications of compromise.
The hackers reached out to Deloitte again five days later, sharing a screenshot of folders and files the company later verified were legitimate.
Further scans by state officials and Deloitte resulted in the discovery on Friday of “malicious files” that state cybersecurity officials said “could potentially be launched to cause damage to the RIBridges system by the cybercriminals,” prompting the government to shut down the system.
McKee said the state is considering the incident an extortion attack rather than a ransomware incident because the systems were not decrypted.
McKee held a second lengthy press conference on Saturday urging state residents to sign up for credit monitoring, institute credit freezes, apply two-factor authentication on all financial accounts and to take several other steps to protect themselves in light of the incident.
He noted it is likely that the ransomware gang will leak the stolen data “as early as this week.”
The director of Health Source RI, Rhode Island's marketplace for affordable health coverage, noted that this was a particularly inopportune time for a cyberattack as it coincides with the open enrollment period when people typically sign up for health insurance. The open enrollment period started on November 1 and lasts until January 31.
A state official said they planned to revert back to paper applications for many of the impacted programs while the system is offline but noted there is a concern about hackers being able to access state funds illegally using a person’s stolen information. State agencies are currently trying to figure out how fund disbursements in January will be handled.
On Sunday, Rhode Island set up a hotline for people to call for information about the incident to get a better understanding of what happened. The state is still conducting an investigation, and those who are affected will receive a letter in the mail offering free credit monitoring for an undisclosed amount of time.
The state still does not know precisely how many people are impacted but it likely includes anyone who gave information related to Medicaid, SNAP, Temporary Assistance for Needy Families, health insurance on the open marketplace, and other programs.
Deloitte negotiations
McKee and several state lawyers told the press that Deloitte will bear some of the financial burden for the incident, including covering the cost of credit monitoring services.
When asked how much the hackers are demanding, McKee claimed the negotiations were being done solely between Deloitte and the ransomware gang. Reporters peppered McKee and others with questions about why Deloitte was leading the negotiations with the hackers, but state officials did not give an answer.
The company has hired a negotiator to communicate with the hackers, according to McKee, but state lawyers said Deloitte will consult with them and federal authorities before paying any ransom.
The state police, FBI and Cybersecurity and Infrastructure Security Agency (CISA) are all involved in the response to the incident.
When asked for comment about the situation by Recorded Future News, a spokesperson for Deloitte connected the incident to claims made last week by a ransomware gang named Brain Cipher.
The spokesperson said their investigation “indicates that the allegations relate to a single client's system which sits outside of the Deloitte network.”
“No Deloitte systems have been impacted," the spokesperson said.
“Upon learning that a state system supported by Deloitte had been attacked by an international cybercriminal group, we launched an investigation in collaboration with our client and law enforcement officials. While that investigation is ongoing, we have shown over the past decade our unwavering commitment to the State of Rhode Island and the people they serve.”
McKee said the state would likely reevaluate its relationship with Deloitte once the crisis had been resolved.
In September, the Providence school system spent days recovering from a damaging ransomware attack impacting thousands of students.
In July, the Brain Cipher ransomware gang attacked Indonesia's national data center, disrupting immigration checks at airports and a variety of other public services. Jon Miller, CEO of cybersecurity firm Halcyon, said the ransomware is a variant of the notorious LockBit 3.0 ransomware and emerged in June.
The gang — which has ties to several other ransomware operations, researchers have found — initially demanded a ransom of $8 million but eventually published the decryptor for free after seeing the damage done to Indonesia’s government.
Rebecca Moody, head of data research at cybersecurity firm Comparitech, noted that this is the 82nd confirmed ransomware attack on a U.S. government agency this year so far exceeding 2023’s total of 79 attacks.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.