Rhode Island officials have confirmed that hackers from the ransomware group Brain Cipher have started leaking sensitive data stolen from the state’s RIBridges social services system. The breach, which occurred in December 2024, has compromised personal information belonging to hundreds of thousands of residents.
Governor Daniel McKee announced during a press briefing that Deloitte, the vendor managing RIBridges, informed the state of the leak. The files, now circulating on a dark web leak site, are being analysed by cybersecurity experts. McKee acknowledged the complexity of identifying the full scope of compromised data, which includes personal identifiers such as names, addresses, Social Security numbers, dates of birth, and banking details.
The RIBridges system, an integrated eligibility platform, supports critical state-administered programmes like Medicaid, Temporary Assistance for Needy Families (TANF), and food assistance benefits. Officials previously stated that the attack affected approximately 650,000 individuals, heightening concerns over fraud and identity theft.
Timeline of the cyberattack
The breach was first disclosed on 5 December when Deloitte alerted Rhode Island officials to a potential cyberattack. Five days later, hackers provided screenshots of stolen file folders, confirming unauthorised access. By 13 December, malicious code was detected within the system, prompting authorities to shut down RIBridges to contain the threat. Governor McKee’s office revealed that Deloitte has since implemented enhanced security measures while working with state IT teams to remediate vulnerabilities. The state has also engaged federal law enforcement agencies and the Rhode Island State Police in its investigation.
The ransomware group Brain Cipher, active since mid-2024, claimed responsibility for the attack. Known for deploying LockBit 3.0 ransomware, the group often uses phishing campaigns to infiltrate systems, tricking users into downloading malicious files. Once inside, they exploit network vulnerabilities and target administrator credentials to expand their reach.
Cybersecurity experts, including researchers from Sophos and SentinelOne, have confirmed that Brain Cipher posted details of the RIBridges breach on their leak site. While the group’s data leak platform is reportedly offline, their negotiation page remains active, raising concerns that further information may still be released.
Deloitte has been in contact with the threat actors, who initially threatened to release the data unless their demands were met. Governor McKee has stated that the state expects Deloitte to cover out-of-pocket expenses related to managing the fallout from the breach. To mitigate the impact, Rhode Island officials are working to notify affected residents. Letters will include guidance on credit monitoring and steps to safeguard against fraud. Authorities have urged residents to freeze their credit, monitor accounts for suspicious activity, and implement multi-factor authentication to protect personal data.
Efforts to restore the RIBridges system are underway, with state officials aiming to bring it back online in stages by mid-January. Governor McKee assured the public that there would be no disruption to essential benefits, such as food assistance payments and health insurance coverage. The breach of RIBridges underscores the rising threat of ransomware attacks on public infrastructure. Brain Cipher has gained notoriety for similar incidents, including a high-profile attack on Indonesia’s temporary National Data Center.
Read more: US Treasury confirms cybersecurity breach linked to Chinese hackers
