Oops.
Late last year, the state of Rhode Island discovered nefarious individuals had gained access to their state benefits system RI Bridges, a system built and managed by Deloitte. This meant hackers got their hands on the personal information of Rhode Islanders who’d used state programs such as Medicaid, SNAP, Medicaid, health coverage purchased through HealthSource RI, and at-home care services provided by the state, among other things.
In February we reported on Deloitte making a $5 million payment to the state at the behest of the governor to help with expenses related to the breach. Revisiting what we wrote at that time:
It appears the group that got Deloitte UK [in 2024] is the same one that penetrated the Deloitte-managed RI Bridges system: Brain Cypher. Adding insult to injury, Brain Cypher sent Deloitte a screenshot of some of the data they got.
As the news of the breach was hitting the news in mid-December, Deloitte released this statement: “Our investigation indicates that the allegations relate to a single client’s system which sits outside of the Deloitte network. No Deloitte systems have been impacted.” Whew, as long as your systems are safe. Who cares about a bunch of kids on food stamps amirite.
At a press conference shortly after news of the breach hit, Rhode Island’s chief digital officer wasn’t so quick to let the firm pass the buck:
Asked during a Smith Hill news conference how the hack happened, and whether Deloitte was responsible, [CDO Brian] Tardiff said, “It’s an ongoing investigation, so we can’t provide any details at this point. We do expect a full root cause analysis that will provide those details.”
Tardiff added that RI Bridges “is maintained and operated by Deloitte, so we believe it [the breach] is not from the state.”
In order to get to the bottom of things, cybersecurity firm CrowdStrike was brought in to do an independent investigation and the results are in. The timeline, as outlined by a press release on May 15, is as follows:
- In July 2024, a threat actor gained entry to the RIBridges system through unauthorized use of Deloitte credentials.
- Between July and November 2024, the actor accessed 28 systems in the RIBridges environment.
- Between November 11 and 28, 2024, the actor exfiltrated numerous files from the system.
- After November 28, the actor was no longer present in the system.
We’ve attached the full CrowdStrike report at the bottom if you care to read it. It doesn’t say bluntly that Deloitte credentials were used, only that “the Threat Actor successfully authenticated to the RIBridges non-production virtual private network (VPN) from an external IP address using a non-state of Rhode Island non-privileged account.”
A footnote after that sentence states “Deloitte advised MFA [Multi Factor Authentication] was in place for all accounts related to the RIBridges production environment. MFA event logs were not retained for review by CrowdStrike to determine if MFA was triggered for Threat Actor VPN sessions.”
“CrowdStrike was unable to determine how the Threat Actor gained access to the credentials used to authenticate to the VPN or if multifactor authentication (MFA) was bypassed,” the report added.
Additionally, CrowdStrike discovered another 107,757 affected people, bringing the number of impacted individuals up to 644,401. “Some of the recently identified individuals were neither RIBridges customers nor applicants for benefits but were included in files shared with federal agencies for verification purposes,” said the state’s press release.
Rhode Island is in the process of pursuing options to modernize the current RIBridges system managed by Deloitte, with the goal of transitioning to a new system, said the state.
[/caption]
Oh cry me a river. This is why we must support Trump policies. Vote Republican because we all can’t be on welfare.