RIBridges data dump deadline may not have passed. It might be Wednesday afternoon. • Rhode Island Current

There’s not much sand left in the hourglass counting down to an international cybercriminal group’s purported release of data stolen from the RIBridges system — the online customer interface for social services like Medicaid, food stamps and individual subscriptions to Rhode Island’s health insurance marketplace.

Reports in national outlets suggested the hackers’ deadline was Sunday, Dec. 15, but as of 1:30 p.m. Tuesday, the countdown clock on hacker group Brain Cipher’s dark web site showed about 27 hours left before the data is released. Rhode Island state officials have not named the group directly but have relayed that there is an unspecified ransom demand, according to Deloitte, the RIBridges system vendor and architect. Deloitte has been in direct contact with the cybercriminals, state officials said in recent press events. Brain Cipher took credit for a hack of Deloitte U.K. earlier this month.

“Unfortunately, giant companies do not always do their job well,” Brain Cipher wrote on its blog.

The breach could affect hundreds of thousands of Rhode Islanders, including those who applied for social services but were ineligible, as well as those who previously received benefits. Deloitte has indicated the stolen information may include names, addresses, dates of birth, Social Security numbers and banking information.

Notification letters will be sent to affected people following recovery and analysis of the RIBridges network, State officials have reiterated. The timeline is yet to be determined. 

The customer-facing web portal and state’s administrative infrastructure remain down since Friday, as Deloitte works to cast out the hackers’ remaining presence — described vaguely as “malicious code” in a press release — from the system. Meanwhile, state employees have switched to paper processing for benefits like food stamps. 

HealthSource RI, the insurance marketplace, cannot process new applications during open enrollment season — which ends Jan. 31, 2025 —  until the Bridges network can safely return online, Director Lindsay Lang said at a press conference Monday.   

“We’re going to work to minimize any impact to coverage for 2025,” Lang said. “We want to make sure that any alternative processes that we develop are safe and secure and ultimately as convenient as possible for our customers, and then we’ll be able to support their application once the system is back up and running.” 

She added that customers who already paid for their January 2025 coverage will have active insurance next month.

A screen capture from Brain Cipher’s blog shows a breach labeled as data belonging to Deloitte U.K. The multinational firm confirmed Monday, Dec. 16, 2024, that the affected data is actually from the RIBridges system, a Deloitte client. (Screenshot)

News of the hack first arrived on Brain Cipher’s dark web blog around Dec. 4, when the hackers claimed they stole data from Deloitte U.K.’s own network. On Monday, a Deloitte spokesperson for the firm’s U.S. business confirmed that the data was not from Deloitte U.K. but from the RIBridges database. Deloitte U.K. previously denied that the Brain Cipher hack affected its system, but did specify that a client system had been affected. The Brain Cipher blog still lists Deloitte U.K. as the breach’s victim as of Tuesday.

“Soon we will tell you about this incident,” Brain Cipher wrote on their blog. “We will provide an example of data that has leaked.”

The hackers also appeared to taunt Deloitte for failing to observe “the ‘elementary points’ of information” — also known as the “CIA triad,” or confidentiality, integrity and availability. Information security experts consider these three elements as foundational to building strong, secure databases. 

Attorneys suit up for eventual court battles

The cyberattack swiftly translated to litigation: On Monday, the state’s top attorney gently reminded Deloitte to keep all evidence about the breach intact. That announcement came after three breach-related class action lawsuits were filed against Deloitte.

Rhode Island Attorney General Peter Neronha “will ensure accountability on behalf of Rhode Islanders for this failure to protect their most sensitive identity information, about which they are understandably very, very concerned,” said spokesperson Timothy Rondeau in a statement Monday night.

Rondeau added the AG will “pursue any and all legal actions in order to help make those affected whole. To that end, we have already taken preliminary steps such as notifying Deloitte of its obligation to preserve information and documents.” 

Rhode Island law specifies that state agencies who suspect they have been breached notify the AG within a specific timeframe. 

Rondeau said that as of Tuesday, the AG’s office had not been notified formally — although the Providence Public School Department also delayed notification when it was hacked in September, as the state law allows for more time during active criminal investigations. 

Two of the class action lawsuits were filed Sunday, and another on Monday. One lawsuit is from lead plaintiff Patricia Mahoney, a North Providence resident and Supplemental Nutrition Assistance Program (SNAP) recipient. The second complaint is by Ronald J. Pannozzi of Providence. The third is by Claire A. Taraborelli, a Cranston resident who also receives SNAP benefits. 

Pannozzi and Taraborelli’s cases were filed in the U.S. District Court in Providence. Mahoney’s was filed in the U.S. District Court for the Southern District of New York.  

“Members are now, and for the rest of their lives will be, at a heightened and substantial risk of identity theft,” Taraborelli’s lawsuit states.

Peter Wsylyk, formerly a state representative and House deputy majority leader, is serving as the attorney for all three cases. In the Mahoney case, he is joined by Gary E. Mason of Washington, D.C., in representing the plaintiff.  

“This incident is just another example of the critical need for entities to take strong measures to safeguard such sensitive personal information,” Wsylyk wrote in a statement on Pannozzi’s case. “When entities fail to protect individuals’ personally identifiable confidential data, affected individuals are left extremely vulnerable.” 

An adage among cybersecurity professionals, one of those much-quoted sayings with an unclear origin, is, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”

But the fallibility of systems has not stopped lawyers from suiting up to attack companies for less-than-ironclad security. A 2024 analysis by Bloomberg Law found that federal court complaints mentioning breaches or ransomware “more than doubled from 2021 to 2022, and then more than doubled again from 2022 to 2023.”

 Gov. Dan McKee, meanwhile, took to touring the airwaves Tuesday to assure Rhode Islanders that his administration is doing everything it can to protect those affected.

“Last week was a good week until it wasn’t,” McKee said in a radio interview Tuesday afternoon with WPRO host Matt Allen. 

Allen asked if the governor was “rethinking working with Deloitte,” especially given the company’s problem-plagued rollout for RIBridges in 2016. That launch also resulted in a court battle, with Rhode Island netting $30 million via a settlement agreement with Deloitte, the Providence Journal reported in 2020.

“Well, I think everything’s on the table,” McKee said. “This is a complicated issue, one that services hundreds of thousands of people, you don’t want a service interruption. … We know there’s missteps. We just don’t know what they are right now.”

McKee also said Deloitte is paying for costs associated with the hack, including the credit monitoring, call center and notification letters.

Unfinished lessons from Providence schools

It’s unconfirmed whether the RIBridges cyberattack is a true ransomware effort, which involves malware that makes files unusable with uncrackable encryption. Typically, ransomers will promise to provide the decryption key upon payment. 

Chief Digital Officer Brian Tardiff did not characterize the attack as ransomware on Friday, Dec. 13. But there was extortion involved, he said. 

“So far, there haven’t been any public reports of victims actually paying a ransom to the Brain Cipher ransomware group,” said Jon Miller, the co-founder and CEO of Halcyon, a Texas-based anti-ransomware company in an email to Rhode Island Current. “It’s worth noting that many organizations keep ransom payments under wraps to avoid encouraging more attacks — or because of legal or reputational concerns. So, while no payments have been officially documented, it doesn’t necessarily mean no one has paid up.”

Miller also pointed to Brain Cipher’s high-profile cyberattack on a government datacenter in Indonesia, which ultimately led to the hackers apologizing to the people of the southeast Asian country. The decryption keys were released for free, Cyber Security News reported in July.

The state-level cyber attack comes just three months after prolific ransomers Medusa Group pulled 200-plus gigabytes’ worth of data from the Providence Public School Department. But beyond their shared interest in encrypting files, the two ransomware outfits appear to operate quite differently. Medusa uses a ransomware as a Service (RaaS) model for its hacking activities, which is essentially a means of contracting out hacking activity.

“Unlike established RaaS groups that provide ransomware tools to affiliates in exchange for a share of the profits, Brain Cipher so far appears to be a more centralized operation or is only working with a small group of vetted affiliates,” Miller said.

 It’s unknown if Brain Cipher will update its blog with a publicly available dump of the breached data, as Medusa did with the data it stole from Providence schools, or if it will sell the data to a buyer. The RIBridges dump is estimated to be 1 terabyte in size — about five times as large as the Providence dump.