PROVIDENCE – The hacker that gained access to Rhode Island’s state benefits system last year – making vulnerable the private data of more than 640,000 people – did so in July, five months before state officials realized, an outside investigation has found.
State officials also revealed Thursday that thousands of people who were not initially thought to be affected by the breach also had their personal data stolen. They will be alerted in the coming weeks.
The hacker and ransomware group, Brain Cipher, first accessed the system on July 2, 2024, by entering credentials to RIBridges’ virtual private network, or VPN. Through November, the hacker was able to browse files and folders tied to RIBridges, according to a summary of the investigation completed by CrowdStrike, a cybersecurity technology company, released by Governor Dan McKee‘s administration on Thursday.
At a press conference, Brian Tardiff, the state’s chief digital officer, said Brain Cipher used a username and password of an employee of Deloitte, the state’s vendor who oversees the system, to get into the system.
Between July 3 and Nov. 28, 2024, the hacker “interacted with several archive files, as well as various user files and folders on systems,” according to the nine-page executive summary of the investigation, before making a “large outbound transfer” in November.
However, through its review, CrowdStrike was unable to determine how the hacker “gained access to the credentials used to authenticate to the VPN” or if the system‘s multi-factor authentication system was bypassed somehow, according to the summary.
No hacker activity has been reported in the system since the investigation began on Dec. 16, the review found. CrowdStrike finished its investigation on Jan. 31.
The full report has been withheld by state officials. Still, the short summary released Thursday provided the first publicly released details on how exactly the cyberattack unfolded before McKee alerted the public in December.
McKee told reporters Thursday the state will “pursue all avenues to ensure accountability” against Deloitte. Attorney General Peter Neronha‘s Office is reviewing the matter, he said.
“That this would be undetected for that period of time, is something that is just unacceptable,” McKee said.
Asked if he would file a lawsuit, a spokesperson for Neronha said the attorney general is exploring “all available remedies.” The spokesperson, Tim Rondeau, declined to comment further because of the ongoing investigation.
The breach ultimately left the personal data of 644,401 people potentially compromised, including Social Security numbers, names, addresses, dates of birth, and health information. The RIBridges system is where people sign up for public benefits like Medicaid and food stamps, along with private health insurance through the HealthSource RI portal. The hack affected people who used the system dating back to 2019, including those who may have filled out an application but never received benefits.
At Thursday’s news conference, state officials revealed that 107,000 people who were not part of the original 657,000 people notified of the breach actually had their data stolen, including nearly 30,000 who have never applied for benefits within the RIBridges system. Rather, those people’s information “passed through” the system during employment checks when they were hired at jobs, or through pass-through verifications from the child support system and Department of Children, Youth and Families.
About 114,000 people who were previously notified that their data was potentially stolen were ultimately not found to be affected.
The newly-identified victims of the cyberattack will receive letters in the mail after Memorial Day, state officials said.
The state first learned of the attack on Dec. 5, but did not reveal the issue to the public until a Friday night press conference on Dec. 13. McKee said the purported hackers sent a screenshot to Deloitte, the private vendor that runs the benefits system, containing personally identifiable data on Dec. 10, demanding a ransom.
Emails obtained by the Globe show officials from the Department of Administration, HealthSource Rhode Island and Department of Human Services mobilized a team to deal with the hack on Dec. 6.
The majority of the communications between the date of discovery and when McKee told the public were redacted by the state.
At 3:47 p.m. on Dec. 13, Tardiff emailed a Deloitte executive: “Please proceed with system shutdown.”
The system remained offline for more than a month, and started to relaunch in phases in late January. The new outside report found that the hackers last accessed the system Nov. 28, one week before the state knew about the intrusion.
Deloitte first learned of the hack after someone posted on a website for Brain Cipher on Dec. 4, claiming to have infiltrated the system. Deloitte found “identified suspicious activity” and notified state officials on Dec. 5.
Tardiff said between Dec. 4 and 13, there was an investigation to determine if RIBridges was part of the breach, or if it was another Deloitte-related system that was hacked.
“Once it was determined that it was RIBridges on Dec. 13, we shut the system down,” Tardiff said.
The report says CrowdStrike’s review “did not reveal the presence of any artifacts related to ransomware execution in the RIBridges environment, nor the presence of any Brain Cipher ransomware notes.”
The state did not pay Brain Cipher any of the money it had demanded, Tardiff said.
Citing security reasons, Tardiff said Thursday he could not go into detail about what specific controls the state has since put in place, but said “throughout the investigation, at every phase of restoration, we did an exhaustive review of all of the systems, all of the access controls.”
Asked if he would seek to fire Deloitte as the state’s vendor for the system, McKee said the state is seeking bidders to launch a new benefits system, but the process will likely take 18 months to two years.
He said Deloitte was invited to the press conference but declined to attend.
Deloitte did not immediately comment.
When the McKee administration previously notified hundreds of thousands of people believed to be affected in January, it offered five years of credit monitoring and identity theft insurance, along with identity restoration services for life. Deloitte is paying for the services, state officials said.
This story and has been updated with details from a state press conference.
Comment count: