American sign language interpreter Jennifer Alleman, left, and Rhode Island Chief Digital Officer Brian Tardiff, who oversees IT for the state’s various agencies and departments, are seen at a press conference on Friday, Jan. 10, 2025, at the Rhode Island State House. (Alexander Castro/Rhode Island Current)
Approximately 709,000 notification letters went out in the mail Friday to Rhode Islanders whose data was leaked in the RIBridges data breach.
“If you’re like me, I don’t read my mail very often,” Gov. Dan McKee told reporters at the State House during a press conference Friday. “Let’s pay special attention to the mailings that’ll be coming over the next week or so.”
The letters, which bear a state seal upper left hand corner, contain a code for five years of free credit monitoring from Experian. McKee said the letters should arrive in the next few days, and they’ve also been translated into Spanish and Portuguese.
April 30 is the deadline to sign up for the credit monitoring.
It’s been almost a month since the governor first informed Rhode Islanders that their personal data on RIBridges — the intricate and massive public benefits system used by consumers and state workers that checks eligibility for Medicaid and social services, along with enrollment in commercial health insurance plans — was compromised in a cyberattack. Deloitte, the system’s vendor and architect, negotiated with the cybercriminals, later identified as Brain Cipher, an international outfit that previously grabbed headlines in Indonesia.
The estimated number of people whose personal information was exposed is 657,000, although some people will receive multiple letters because they are guardians or parents of minors and others also affected.
“Deloitte is still reviewing the contents of all breached files,” McKee said, adding that additional letters will be mailed if more victims are confirmed.
Brain Cipher originally boasted that it stole 1 terabyte of RIBridges data from Deloitte. Whether that number represented uncompressed data or was exaggerated is unclear, as the cybercriminals only uploaded around 576 gigabytes when the data appeared online. It’s also unclear if the group uploaded all the stolen data.
“If you think you are impacted and do not receive a letter in the next few days, we ask you to be patient and give the mail a couple extra days to arrive,” said McKee.
The letters are the only way the state will confirm if your information was affected. The state cannot verify if a person is affected over the phone or at state offices, said McKee.
Deloitte is obligated to pay for the entirety of the credit monitoring services for all those impacted by the breach, estimated to be nearly 60% of Rhode Island’s population. Reporters asked McKee and the cabinet members who joined him Friday how much that was going to cost.
“A lot,” McKee said as Rhode Island Department of Administration Director Jonathan Womer maneuvered to the podium with an answer.
“Whatever it costs is what they will pay,” Womer said, adding the state would work on calculating an exact figure
Deloitte will also assist the state in paying for additional expenses incurred in the process of mitigating the hack, Womer said.
System coming back online in pieces
The state received a Deloitte report last week summarizing the consulting firm’s technical analysis of how the breach occurred and what data Brain Cipher posted on Dec. 30 to the dark web, said Chief Digital Officer Brian Tardiff.
The summary gave the state “a high level of confidence” as to how the system was hacked, Tardiff said. With that knowledge, and some work on the system’s backend, “the security threat has been remediated,” he said, and added that officials are in the process of validating Deloitte’s findings with a third party vendor.
That means the RIBridges network — which was taken offline mid-December to prevent further movement by bad actors, as is standard in cyberattacks — is being revived piece by piece, with Tardiff estimating that it should be fully operational again by “mid-January.”
Access for state case workers has been restored, Tardiff said, which is why Department of Human Services employees were able to begin processing applications for programs like food stamps or child care assistance that have been backlogged since the system went down. The next phase of network restoration is bringing the customer-facing portal, HealthyRhode.RI.gov, back online.
If you think you are impacted and do not receive a letter in the next few days, we ask you to be patient and give the mail a couple extra days to arrive.
– Gov. Dan McKee
Human services Director Kimberly Merolla-Britosaid the agency’s employees have started to process new benefits applications received since the start of the breach, all of which had to be submitted on paper because of the network outage.
The state’s insurance marketplace HealthSource RI is linked to RIBridges, and Director Lindsay Lang said that customers paid up for January won’t see any interruptions in coverage.
“Our call center is available if there are specific questions,” Lang said. “I don’t wanna comment on anyone’s particular account. We are picking up the phone in under a minute.”
Tardiff said the state has not yet received any reports from people whose finances or identities have already been impacted.
Sluggish dark web downloads slow down analysis
Breaches often comprise massive databases which are not always human-readable or easily parsed. The file folder names advertised on Brain Cipher’s dark web site match some of the RIBridges system “tiers” described in a 2024 state document.
But determining exactly what information is in those database files has not been a speedy process. Tardiff explained that while the summary report was enough to finally and safely bring parts of the network back online, Delotitte’s technicians are still puzzling over the breach contents in a three-step process. The data needs to be checked for corruption and malware before the final step of verifying its authenticity, Tardiff said.
While the state employee side of the RIBridges system has been restored, the online portal for clients is still being repaired, state officials said Friday. Visiting HealthyRhode.RI.gov redirects to the Department of Administration’s website, which sports a bright yellow alert message about the breach and site outage. (Alexander Castro/Rhode Island Current)
Deloitte has downloaded “most” of the files, Tardiff said, with one thing holding the analysts back: The dark web platform Brain Cipher used to share the files they stole.
“The site is intermittently inaccessible,” Tardiff said.
The sites’ sluggish download speeds could be the result of a lackluster server configuration by the hackers or poor service from the platform’s dark web hosting provider.
Whatever the results of the final report, Tardiff said, it will contain “sensitive security information” and the bulk of it will not be made public.
Deloitte spokesperson Karen Walsh confirmed in an email Friday that the breached data came from the state’s servers, located in a data center in Warwick.
That contrasts earlier comments by McKee, who told radio host Matt Allen in a Dec. 17, 2024, interview that the problem was on Deloitte’s end.
“I think that’s safe to say,” McKee said then. “I don’t want to speculate definitively on that, but yeah, I think that’s safe to say.”
The consulting firm has received more than $10 million in state payments since the fiscal year began July 1, 2024, but has yet to send a representative to field questions at any of the numerous press briefings held by McKee.
Deloitte’s absence has not gone unnoticed by state officials. For now, Tardiff said, “We are making sure Deloitte is responding appropriately to restoring the system.”
SUPPORT: YOU MAKE OUR WORK POSSIBLE