American Sign Language Interpreter Jennifer Alleman (left) and Brian Tardiff, Rhode Island’s Chief Digital Officer, who oversees IT for the state’s various agencies and departments, are seen at a press conference on Friday, January 10, 2025, in Rhode Island StateHouse. (Alexander Castro/Rhode Island Current)
About 709,000 notification letters was mailed Friday to Rhode Islanders whose data was breached in the RIBridges data breach.
“If you’re anything like me, I don’t read my mail that often,” Gov. Dan McKee told reporters during a press conference at the State House on Friday. “Let’s pay special attention to the mailings that will be coming out in the next week or so.”
The letters, which bear a state seal at the top left, contain a code for five years of free credit monitoring from Experian. McKee said the letters should arrive in the coming days, and have also been translated into Spanish and Portuguese.
April 30 is the deadline to register for credit monitoring.
It’s been nearly a month since the governor first informed Rhode Islanders that their personal information is on RIBridges — the complicated and massive public benefits system used by consumers and state workers that verifies their eligibility for Medicaid and social services. along with commercial health insurance enrollment – was compromised by a cyber attack. Deloitte, the system’s supplier and architect, negotiated with the cybercriminals, identified later as Brain Cipher, an international outfit that previously made headlines in Indonesia.
The estimated number of people whose personal information has been exposed is 657,000, although some people will receive multiple letters because they are guardians or parents of minors and others are also affected.
“Deloitte is still reviewing the contents of all breached files,” McKee said, adding that additional letters will be sent if more victims are confirmed.
Brain Cipher originally boasted that it had stolen 1 terabyte of RIBridges data from Deloitte. Whether that amount represented uncompressed data or was exaggerated is unclear, as the cybercriminals only uploaded about 576 gigabytes when the data appeared online. It is also unclear whether the group uploaded all the stolen data.
“If you think you may be affected and do not receive a letter in the coming days, we ask that you please be patient and give the mail a few extra days,” McKee said.
The letters are the only way the state can confirm whether your data has been compromised. The state cannot verify whether a person was affected over the phone or at state offices, McKee said.
Deloitte is required to pay for the entirety of credit monitoring services for everyone affected by the breach, estimated to be nearly 60% of Rhode Island’s population. Reporters asked McKee and the Cabinet members who joined him Friday how much that would cost.
“A lot,” McKee said as Jonathan Womer, director of the Rhode Island Department of Administration, maneuvered to the podium with a response.
“Whatever it costs is what they will pay,” Womer said, adding that the state would work on calculating an exact amount
Deloitte will also help the state pay additional costs incurred in the process to mitigate the hack, Womer said.
System comes back online in pieces
The state received a report from Deloitte last week summarizing the consulting firm’s technical analysis of how the breach occurred and what data Brain Cipher posted to the dark web on Dec. 30, Chief Digital Officer Brian Tardiff said.
The summary gave the state “a high level of confidence” about how the system was hacked, Tardiff said. With that knowledge, and some work on the system’s backend, “the security threat has been resolved,” he said, adding that officials are in the process of validating Deloitte’s findings with a third-party vendor.
That means the RIBridges network – which was taken offline in mid-December to prevent further movement of bad actors, as is standard in cyber attacks – is being revived piecemeal, with Tardiff estimating that it should “return fully operational by mid-January are. ”
Access for government employees has been restored, Tardiff said. That’s why Department of Human Services workers were able to start processing applications for programs like food stamps or child care assistance, which have been backlogged since the system went bankrupt. The next phase of network recovery is bringing the customer-facing portal, HealthyRhode.RI.gov, back online.
If you think you will be affected and you do not receive a letter in the coming days, we ask that you be patient and allow the mail to arrive a few extra days.
– Gov. Dan McKee
Human Services Director Kimberly Merolla-Brito said agency staff have begun processing new benefit claims received since the breach began, all of which had to be submitted on paper because of the network outage.
The state’s insurance marketplace HealthSource RI is linked to RIBridges, and director Lindsay Lang said customers who paid before January will see no interruptions in coverage.
“Our call center is available if you have specific questions,” says Lang. “I don’t want to comment on anyone’s specific account. We will answer the phone within a minute.”
Tardiff said the state has not yet received any reports from people whose finances or identities have already been affected.
Slow downloads on the dark web slow down analysis
Breaches often involve massive databases that are not always human-readable or easily parsed. The file folder names advertised on the Brain Cipher dark website correspond to some of the “levels” of the RIBridges system described in a 2024 state document.
But determining the exact information in those database files wasn’t a quick process. Tardiff explained that while the summary report was enough to finally and safely bring parts of the network back online, Delotitte engineers are still puzzling over the contents of the breach in three steps. The data must be checked for corruption and malware before the final step of verifying its authenticity, Tardiff said.
Deloitte downloaded “most” of the files, Tardiff said, but one thing stopped the analysts: the dark web platform Brain Cipher used to share the files they stole.
“The site is inaccessible at times,” Tardiff said.
The sites’ slow download speeds could be a result of poor server configuration by the hackers or poor service from the platform’s dark web hosting provider.
Whatever the results of the final report, Tardiff said, it will contain “sensitive safety information” and most of it will not be made public.
Deloitte spokesperson Karen Walsh confirmed in an email Friday that the breached data came from the state’s servers, located in a data center in Warwick.
That contrasts with previous comments from McKee, who told radio host Matt Allen in an interview on December 17, 2024 that the problem was on Deloitte’s side.
“I think it’s safe to say that,” McKee said at the time. “I don’t want to definitively speculate on that, but yes, I think that’s safe to say.”
The consultancy firm has received more than 10 million dollars in state payments since the fiscal year began on July 1, 2024, but has not yet sent a representative to ask questions at any of the numerous news conferences McKee has held.
Deloitte’s absence has not gone unnoticed by government officials. For now, Tardiff said, “We are making sure Deloitte responds appropriately to the system recovery.”
SUPPORT: YOU MAKE OUR WORK POSSIBLE