A cybercriminal group breached the state’s public benefits portal last July, lingered inside the network’s backend for five months, and triggered hundreds of firewall alerts when it transferred gigabytes of Rhode Islanders’ data to its own servers in November.
But RIBridges system vendor and manager Deloitte, a multinational firm valued at $67.2 billion last year, didn’t know the system had been hacked until threat actor Brain Cipher took credit for the breach on its blog in early December.
“Deloitte missed some issues that we certainly hold them responsible for,” Gov. Dan McKee said at a Thursday morning press conference. “We also want to make sure that people know that we will pursue all avenues in our efforts to ensure accountability.”
One of the things Deloitte appears to have missed was its own incident logs, according to the long-awaited RIBridges forensic report by CrowdStrike from Dec. 16, 2024, to Jan. 31, 2025, and finally released to the public in an abbreviated form Thursday morning. The state hired the Austin, Texas-based cybersecurity firm to conduct the third-party analysis.
Full forensic reports of cyber breaches are not typically available for security reasons, but the publicly released summary contains several telling details, although some are confined to footnotes. One of those revelations in the fine-print: CrowdStrike did not have complete access to crucial logs needed for its analysis, such as those relating to firewall alerts or multifactor authentication (MFA), the means by which modern networks confirm and allow user access.
“We are concerned. Obviously, that is an issue,” the state’s Chief Digital Officer Brian Tardiff said at the press briefing. “The logs were not made available. That doesn’t mean that they weren’t there.”
Still, Tardiff added the exclusion of the logs has prompted the state to review its policies regarding vendor contracts, so that vendor agreements reflect “our expectations and policy requirements for retention of logs,” he said.
“The State’s Enterprise Policy includes logging requirements, which vendors are supposed to follow,” Karen Greco, a spokesperson for the Department of Administration, wrote in an email to Rhode Island Current shortly after the press conference. Greco pointed to the state’s audit and accountability policy for vendors in a follow-up email, which mandates that contractors and vendors log authentication events, firewall changes, and remote access, and keep those records for six months or more.
The CrowdStrike findings also led the state to revise the total number of people affected by the breach. The state notified 657,000 people in January that their personal information may have been compromised if they had previously applied for benefits like food stamps and Medicaid, or signed up for health insurance via the state marketplace.
But 114,879 people were ruled out after the forensic review. However, the investigation identified another 107,757 people who had not been discovered in the initial sweep, including about 30,000 people who never applied for benefits managed through the eligibility system. The final tally now stands at 644,401 people whose data — including Social Security numbers, birthdates, and potentially health information — may have been exposed.
The state will be sending out a fresh batch of letters to the newly identified residents with information on how they can access free credit monitoring services through Experian, Jonathan Womer, the administration department’s director, said. The deadline to sign up for free credit monitoring is Aug. 31.
McKee said the state is pondering legal action and that the office of Attorney General Peter Neronha is looking into the matter.
“Well, obviously we’re not pleased by it and we’re acting accordingly,” McKee said. “That this would be undetected for that period of time is something that is just unacceptable.”
“At this time, the State is pursuing all available remedies,” AG spokesperson Tim Rondeau said in an email.
Deloitte did not respond to a request for comment. But the company did RSVP to the governor when he asked a representative to attend Thursday’s press briefing.
“We did invite Deloitte to be here today. They declined,” McKee said.
It started with a pilfered username and password
A total of 338 different environments constitute the RIBridges system, Tardiff said, and 28 were accessed by the cybercriminals. Brain Cipher relied on good old fashioned credential theft to begin its invasion, according to the CrowdStrike report. On July 2, 2024, a username and password pilfered from a Deloitte representative initially opened a gate to the system’s backend through a VPN (virtual private network), Tardiff said, although neither he nor CrowdStrike could specify how the criminals gained those credentials.
From there, the criminals exercised patience. Tardiff said the hackers used “a series of activities to maintain connection.” To set up camp in two RIBridges servers, the attackers used a Windows exploit to run their own malicious program that would expand their privileges across the system’s infiltrated areas. CrowdStrike was unable to recover the program used.
The masquerade continued on July 12 when attackers set up a reverse proxy tool, which essentially served as a backdoor into the system, one only the hackers could access. With the reverse proxy in place, Brain Cipher could move in and out of the system incognito, appearing as normal network traffic along the way.
The attackers browsed files, folders and portions of the RIBridges system between July and November. Despite tripping a firewall alarm on Sept. 10, 2024 that blocked an outgoing connection, hackers managed to move data to their own server in the final weeks of November, with this migration triggering 397 “Large Outbound Transfer” alerts along the way.
“The technology did its job, but there are people and processes that have to follow up on what the technology triggers,” Tardiff told reporters. “That’s part of what we’re continuing to look into.”
Brain Cipher last accessed its remote connection on Thanksgiving Day. On Dec. 4, 2024, the cybercriminal gang posted a threat on its dark web blog that it planned to leak Deloitte’s information within weeks. Deloitte in turn notified the state a day later.
But state officials did not take the network offline until Dec. 13, 2024, when they discovered the reverse proxy tool. Had it remained in the system, the tool could have allowed the criminals to remain there undetected and possibly deploy ransomware, according to the report.
Rethinking control
CrowdStrike found no evidence, however, that the hackers were able to enter other state networks. Still, data seemingly unrelated to RIBridges comprised portions of the leaked data found in independent analyses.
The situation is “fairly complicated,” Tardiff said, so he summarized why the breach may have affected people who never applied for benefits themselves.
States are granted “a single connection to the Social Security Administration” (SSA) for its filesharing and identity verification services, Tardiff said. In Rhode Island, RIBridges is designated as the sole pass-through portal for this data. Agencies unrelated to RIBridges may use it indirectly, which accounted for many of the newly identified people who may have been affected.
That included two people with data connected through the Department of Children Youth and Families, six people whose data passed through the Office of Child Support Services, and 29,629 people whose data was submitted to the National Directory of New Hires, which employers use to report new employees to comply with federal laws meant to enforce child support and prevent benefit fraud.
“No other state data systems or any federal data systems were compromised, only the pass-through files from the state agencies identified,” Tardiff said.
The link to download and access the stolen and published data posted on the dark web “has been largely unusable,” Tardiff said, adding the state has asked Deloitte and CrowdStrike to continue monitoring the Brain Cipher site.
But it appears that Brain Cipher revamped its download page on April 14, according to Connor Goodwolf, a cybersecurity researcher who has followed the breach since its genesis last December. Goodwolf in a text to Rhode Island Current, said the stolen data appears to be more easily accessible than before.
“The brain cipher download for the data now works uninterrupted,” Goodwolf said via text message Thursday.
In the meantime, Tardiff said the state is a few weeks away from tentatively selecting a vendor to “modernize” RIBridges, a procurement project that started last September. The revamped benefits platform could take 18 to 24 months to fully develop and roll out, McKee added. Until then, the state is stuck with Deloitte.
But the state is seeking to minimize its reliance on the vendor. Thursday’s press conference came two days after Tardiff and Womer visited the Senate Committee on Finance to make the case for rebooting the state IT department with a budget-neutral request for 15 new full-time IT hires, including an RIBridges Technical Lead. The ask comes via one of McKee’s fiscal 2026 budget amendments.
That request for a more localized IT workforce “was influenced by the [CrowdStrike] analysis, the outcome of the analysis and the identification that we need qualified state employees managing state systems,” Tardiff said.
Can in-house staff defend and monitor the state’s systems better than an outside contractor like Deloitte?
“Directly under our control? Yes,” Tardiff told reporters.
This story was originally published by the Rhode Island Current.
