Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat'

A cyberattack on a Deloitte-managed government system in Rhode Island carries a "high probability" of sensitive data theft, the state says.

RIBridges is the online portal through which Rhode Islanders apply and determine their eligibility for social services and benefits. Deloitte notified the state of a "major security threat" to the system on Friday, December 13.

The total number of affected individuals has not yet been confirmed, but the state said: "To the best of our knowledge, any individual who has received or applied for health coverage and/or health and human services programs or benefits could be impacted by this breach."

RIBridges facilitates applications to a wide variety of benefits programs including:

• Medicaid

• Supplemental Nutrition Assistance Program (SNAP)

• Temporary Assistance for Needy Families (TANF) 

• Child Care Assistance Program (CCAP)

• Health coverage purchased through HealthSource RI

• Rhode Island Works (RIW)

• Long-Term Services and Supports (LTSS)

• General Public Assistance (GPA) Program

• At HOME Cost Share

The nature of the data that was probably stolen is still being confirmed, but it looks like names, addresses, dates of birth, social security numbers, and "certain banking information" are among the affected data types.

The RIBridges system remains down for remediation works, so any resident wanting to apply for any of the benefits programs must do so using a paper application sent in the mail.

Deloitte engaged credit monitoring business Experian to establish a multilingual call center to support those concerned about their data being stolen, but staff on the other end of the line won't be able to confirm whether or not any given caller is affected.

Rhode Islanders are advised to keep an eye on their accounts, change any reused and/or basic passwords, and speak to credit monitoring agencies to freeze their credit or place a fraud alert on their accounts while they wait for more information.

• Are your Prometheus servers and exporters secure? Probably not
• Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks
• Scumbag gets 30 years in the clink for running CSAM dark-web chatrooms, abusing kids
• North Korea's fake IT worker scam hauled in at least $88M over six years

The "major incident" was confirmed by Deloitte on December 13, but the first indication of foul play came earlier on December 5. Law enforcement was notified at the time but investigators were still assessing the full picture.

It wasn't until December 10 that Deloitte confirmed crooks had indeed broken into the RIBridges system after the cybercriminals behind the attack sent screenshots of folders to Deloitte itself. The following day, the company said there was "a high probability that the implicated folders contain personally identifiable information from RIBridges."

This aligns with the timeline where the Brain Cipher ransomware gang alleged it had data stolen from Deloitte, claiming to show "samples" on its data leak site - although it's not yet confirmed if the two events are related.

The Register asked Deloitte about its security posture following Brain Cipher's post and a spokesperson for the Big Four auditor sent the following statement: "We are aware of the claims by the threat actor. Our investigation indicates that the allegations relate to a single client's system which sits outside of the Deloitte network. No Deloitte systems have been impacted."

The company has confirmed to The Register that the "single client system" it referred to in the initial statement is indeed RIBridges.

Deloitte added: "Upon learning that a state system supported by Deloitte had been attacked by an international cybercriminal group, we launched an investigation in collaboration with our client and law enforcement officials. While that investigation is ongoing, we have shown over the past decade our unwavering commitment to the State of Rhode Island and the people they serve. We will continue to work around the clock to resolve this matter."

Governor of Rhode Island Dan McKee said in a public address on December 14: "As part of this investigation, today we discovered that within the Rhode Island Bridges system, a cybercriminal had installed dangerous malware that constituted an urgent threat."

"I understand this is alarming," he added. "Please know that Deloitte and the state are working with law enforcement, as well as IT experts, to minimize the impact on Rhode Islanders." ®