Hackers worked undetected in RI’s benefits system for months before being found. What we know.

• Cybersecurity firm Crowdstrike was unable to determine how Brain Cipher stole the credentials of a Deloitte employee
• Around 115,000 people whose data was believed to be stolen last year, and received state warning letters were probably not exposed, but 107,000 weren’t warned may have had data stolen
• Attorney General Peter Neronha is investigating whether the state will sue Deloitte

Hackers infiltrated Rhode Island’s public benefits portal in early July 2024, five months before the state was alerted about the attack and eventually shut the system down, according to findings from an investigation of the breach.

The hack resulted in the personal data of 644,000 Rhode Islanders being posted on the dark web, slightly fewer than the 650,000 initially estimated to be affected.

How did hackers get into the RIBridges system?

The group Brain Cipher gained access to the RIBridges computer network on July 2 of 2024 by getting the credentials of an employee of Deloitte, the contractor that runs the system for the state, the report from cybersecurity firm Crowdstrike said.

Crowdstrike was not able to determine how Brain Cipher got the Deloitte employee’s credentials.

Once inside the RIBridges system, the hackers worked undetected by Deloitte until early December, when the hackers contacted the information technology vendor and threatened to release personal information downloaded from the system.

Between November 11 and Nov. 28 of last year, Brain Cipher transferred large amounts of data from the RI Bridges system. After the hackers contacted Deloitte, the vendor told state officials about the hack on Dec. 4 and the system was shut down on Dec. 13.

RI in the early states of replacing, possibly suing, Deloitte

Gov. Dan McKee told reporters Thursday that Attorney General Peter Neronha’s office is now looking into a possible state lawsuit against Deloitte for failure to adequately protect resident data.

“Well, obviously we’re not pleased by it and we’re acting accordingly,” McKee said at a State House news conference. “That’s why the attorney general is looking into the implications there. I can say that under the circumstances … that this would be undetected for that period of time is something that is just unacceptable.”

The state is in the early stages of seeking proposals from vendors to replace Deloitte and the system, also known as the Unified Health Infrastructure Project, that has had numerous problems since it launched in 2016.

People who thought they were in the clear may have had their data stolen

The composition of the people whose data was stolen has also changed from last December when the system was shut down.

Around 115,000 people whose data was believed to be stolen last year, and received state warning letters, were probably in the clear, state Chief Digital Officer Brian Tardiff said.

On the flip side, 107,000 people whose data was not previously suspected of being stolen may have actually had their data stolen and will now receive a new round of warning letters.

Those newly discovered vulnerabilities include people who had were hired to new jobs and had their employment status verified by the Department of Labor and Training. A handful of people whose information was contained in child support database and whose filed passed through the Department of Children Youth and Families were also compromised.

Those who have data is exposed in the hack are eligible for free credit monitoring.

Tardiff said the state has not paid any ransom connected to the attack.