Deloitte and Rhode Island officials confirmed that a ransomware attack by Brain Cipher impacted public benefits data from the state’s RIBridges system.
The Brain Cipher ransomware group initially listed Deloitte UK as a victim on its dark web leak site in early December, prompting Deloitte to respond saying only one client system outside of Deloitte’s network was impacted.
Rhode Island state officials later publicly disclosed the attack on its Deloitte-maintained RIBridges data system on Dec. 13 after Deloitte confirmed the presence of malware on the system.
Deloitte previously informed the state of a potential cyberattack on Dec. 5 and confirmed a data breach likely involving personally identifiable information (PII) to state officials on Dec. 11, according to the Rhode Island Department of Administration.
On Monday, a Deloitte spokesperson told the Rhode Island Current that RIBridges was the client system affected by the Brain Cipher attack, confirming the involvement of the ransomware group in the attack on the state’s public services data.
Brain Cipher is a relatively new ransomware gang, having emerged in June 2024, that uses ransomware code based on LockBit 3.0 and is best known for a major attack on Indonesia’s National Data Center.
“Brain Cipher often gains initial access to systems through phishing campaigns, tricking victims into downloading malicious files. Once inside, they leverage tools and exploits to move laterally across networks, frequently targeting Windows domain administrator credentials to maximize their reach,” Jon Miller, CEO and co-founder of Halcyon, told SC Media in an email.
The group claims to have stolen more than 1 terabyte of compressed data in its attack on the Deloitte-maintained system and initially gave a deadline of Dec. 15 before it would start leaking the data. However, the deadline appeared to be extended to Wednesday as of Tuesday afternoon, according to the Rhode Island Current.
Rhode Island Gov. Daniel McKee said in a Saturday press conference addressing the attack that public benefits programs potentially impacted by the breach included Medicaid, the Supplemental Nutrition Assistance Program (SNAP), Temporary Assistance for Needy Families (TANF), the Child Care Assistance Program (CCAP), HealthSource RI, Rhode Island Works (RIW), Long-Term Services and Supports (LTSS), the General Public Assistance (GPA) Program and At HOME Cost Share.
Individuals who applied for or received benefits through these systems are advised to freeze and monitor their credit, request a fraud alert from a credit reporting agency, implement multi-factor authentication on their accounts and remain vigilant for potential phishing attacks leveraging the potentially stolen data, McKee said in a public service announcement Monday.
The state additionally set up a data breach phone hotline for residents to ask questions about the breach that will operate 12 hours a day, although officials noted that operators cannot confirm which individuals were impacted or answer questions about state benefits or healthcare coverage.
“Households that have had personal information compromised will receive a letter by mail from the State that explains how to access free credit monitoring,” officials stated on the government web page created to share information about the breach.
Class-action lawsuits filed against Deloitte over ransomware breach
Following news that the RIBridges breach likely compromised residents’ PII, two class-action lawsuits were filed against Deloitte, alleging the company “failed to adequately protect individuals’ sensitive personally identifiable information maintained in the Rhode Island system referred to as RIBridges,” according to ABC 6.
Deloitte is accused of failing to implement sufficient cybersecurity procedures and protocols, with the lawsuits also saying private information was maintained in a “reckless manner” by the company. The two plaintiffs in the lawsuits are represented by former Rhode Island state Rep. Peter Wasylyk.
Cybersecurity challenges faced by the state were previously outlined in a 2023 audit report by Auditor David Bergantino.
“The State updated its current cybersecurity readiness and has begun to identify risk mitigation priorities and the resources needed to implement necessary corrective action. The state does not currently have sufficient resources dedicated for the size and complexity of State operations and risk mitigation is not progressing quickly enough,” the report states.
