Latest news with #RIBridges
Yahoo
15-05-2025
- Business
- Yahoo
RIBridges firewall worked. But forensic report says hundreds of alarms went unnoticed.
Department of Administration Director Jonathan Womer, Gov. Dan McKee, and Chief Digital Officer Brian Tardiff, are seen at a May 15, 2025, press conference unveiling findings from a forensic investigation into the 2024 RIBridges data breach. (Photo by Alexander Castro/Rhode Island Current) A cybercriminal group breached the state's public benefits portal last July, lingered inside the network's backend for five months, and triggered hundreds of firewall alerts when it transferred gigabytes of Rhode Islanders' data to its own servers in November. But RIBridges system vendor and manager Deloitte, a multinational firm valued at $67.2 billion last year, didn't know the system had been hacked until threat actor Brain Cipher took credit for the breach on its blog in early December. 'Deloitte missed some issues that we certainly hold them responsible for,' Gov. Dan McKee said at a Thursday morning press conference. 'We also want to make sure that people know that we will pursue all avenues in our efforts to ensure accountability.' One of the things Deloitte appears to have missed was its own incident logs, according to the long-awaited RIBridges forensic report by CrowdStrike from Dec. 16, 2024, to Jan. 31, 2025, and finally released to the public in an abbreviated form Thursday morning. The state hired the Austin, Texas-based cybersecurity firm to conduct the third-party analysis. Full forensic reports of cyber breaches are not typically available for security reasons, but the publicly released summary contains several telling details, although some are confined to footnotes. One of those revelations in the fine-print: CrowdStrike did not have complete access to crucial logs needed for its analysis, such as those relating to firewall alerts or multifactor authentication (MFA), the means by which modern networks confirm and allow user access. 'We are concerned. Obviously, that is an issue,' the state's Chief Digital Officer Brian Tardiff said at the press briefing. 'The logs were not made available. That doesn't mean that they weren't there.' Still, Tardiff added the exclusion of the logs has prompted the state to review its policies regarding vendor contracts, so that vendor agreements reflect 'our expectations and policy requirements for retention of logs,' he said. 'The State's Enterprise Policy includes logging requirements, which vendors are supposed to follow,' Karen Greco, a spokesperson for the Department of Administration, wrote in an email to Rhode Island Current shortly after the press conference. Greco pointed to the state's audit and accountability policy for vendors in a follow-up email, which mandates that contractors and vendors log authentication events, firewall changes, and remote access, and keep those records for six months or more. The CrowdStrike findings also led the state to revise the total number of people affected by the breach. The state notified 657,000 people in January that their personal information may have been compromised if they had previously applied for benefits like food stamps and Medicaid, or signed up for health insurance via the state marketplace. But 114,879 people were ruled out after the forensic review. However, the investigation identified another 107,757 people who had not been discovered in the initial sweep, including about 30,000 people who never applied for benefits managed through the eligibility system. The final tally now stands at 644,401 people whose data — including Social Security numbers, birthdates, and potentially health information — may have been exposed. The state will be sending out a fresh batch of letters to the newly identified residents with information on how they can access free credit monitoring services through Experian, Jonathan Womer, the administration department's director, said. The deadline to sign up for free credit monitoring is Aug. 31. McKee said the state is pondering legal action and that the office of Attorney General Peter Neronha is looking into the matter. 'Well, obviously we're not pleased by it and we're acting accordingly,' McKee said. 'That this would be undetected for that period of time is something that is just unacceptable.' 'At this time, the State is pursuing all available remedies,' AG spokesperson Tim Rondeau said in an email. Deloitte did not respond to a request for comment. But the company did RSVP to the governor when he asked a representative to attend Thursday's press briefing. 'We did invite Deloitte to be here today. They declined,' McKee said. A total of 338 different environments constitute the RIBridges system, Tardiff said, and 28 were accessed by the cybercriminals. Brain Cipher relied on good old fashioned credential theft to begin its invasion, according to the CrowdStrike report. A username and password pilfered from a Deloitte representative initially opened the gate to the system's backend through a VPN (virtual private network), Tardiff said, although neither he nor CrowdStrike could specify how the criminals gained those credentials. From there, the criminals exercised patience. Tardiff said the hackers used 'a series of activities to maintain connection.' After setting up camp in two RIBridges servers, the attacker used a Windows exploit to run their own malicious program that would expand their privileges across the system's infiltrated areas. CrowdStrike was unable to recover the program used. The masquerade continued on July 12 when attackers set up a reverse proxy tool, which essentially served as a backdoor into the system, one only the hackers could access. With the reverse proxy in place, Brain Cipher could move in and out of the system incognito, appearing as normal network traffic along the way. The attackers browsed files, folders and portions of the RIBridges system between July and November. Despite tripping a firewall alarm on Sept. 10, 2024 that blocked an outgoing connection, hackers managed to move data to their own server in the final weeks of November, with this migration triggering 397 'Large Outbound Transfer' alerts along the way. 'The technology did its job, but there are people and processes that have to follow up on what the technology triggers,' Tardiff told reporters. 'That's part of what we're continuing to look into.' Brain Cipher last accessed its remote connection on Thanksgiving Day. On Dec. 4, 2024, the cybercriminal gang posted a threat on its dark web blog that it planned to leak Deloitte's information within weeks. Deloitte in turn notified the state a day later. But state officials did not take the network offline until Dec. 13, 2024, when they discovered the reverse proxy tool. Had it remained in the system, the tool could have allowed the criminals to remain there undetected and possibly deploy ransomware, according to the report. CrowdStrike found no evidence, however, that the hackers were able to enter other state networks. Still, data seemingly unrelated to RIBridges comprised portions of the leaked data found in independent analyses. The situation is 'fairly complicated,' Tardiff said, so he summarized why the breach may have affected people who never applied for benefits themselves. States are granted 'a single connection to the Social Security Administration' (SSA) for its filesharing and identity verification services, Tardiff said. In Rhode Island, RIBridges is designated as the sole pass-through portal for this data. Agencies unrelated to RIBridges may use it indirectly, which accounted for many of the newly identified people who may have been affected. That included two people with data connected through the Department of Children Youth and Families, six people whose data passed through the Office of Child Support Services, and 29,629 people whose data was submitted to the National Directory of New Hires, which employers use to report new employees to comply with federal laws meant to enforce child support and prevent benefit fraud. 'No other state data systems or any federal data systems were compromised, only the pass-through files from the state agencies identified,' Tardiff said. The link to download and access the stolen and published data posted on the dark web 'has been largely unusable,' Tardiff said, adding the state has asked Deloitte and CrowdStrike to continue monitoring the Brain Cipher site. But it appears that Brain Cipher revamped its download page on April 14, according to Connor Goodwolf, a cybersecurity researcher who has followed the breach since its genesis last December. Goodwolf in a text to Rhode Island Current, said the stolen data appears to be more easily accessible than before. 'The brain cipher download for the data now works uninterrupted,' Goodwolf said via text message Thursday. Rhode Island's IT department wants a fresh install of 15 full-time roles In the meantime, Tardiff said the state is a few weeks away from tentatively selecting a vendor to 'modernize' RIBridges, a procurement project that started last September. The revamped benefits platform could take 18 to 24 months to fully develop and roll out, McKee added. Until then, the state is stuck with Deloitte. But the state is seeking to minimize its reliance on the vendor. Thursday's press conference came two days after Tardiff and Womer visited the Senate Committee on Finance to make the case for rebooting the state IT department with a budget-neutral request for 15 new full-time IT hires, including an RIBridges Technical Lead. The ask comes via one of McKee's fiscal 2026 budget amendments. That request for a more localized IT workforce 'was influenced by the [CrowdStrike] analysis, the outcome of the analysis and the identification that we need qualified state employees managing state systems,' Tardiff said. Can in-house staff defend and monitor the state's systems better than an outside contractor like Deloitte? 'Directly under our control? Yes,' Tardiff told reporters. SUBSCRIBE: GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX
Yahoo
15-05-2025
- Business
- Yahoo
Report: Hackers accessed RIBridges using Deloitte rep's credentials
PROVIDENCE, R.I. (WPRI) — A newly released analysis of last year's RIBridges data breach revealed how the hackers gained access to the system. The investigation, conducted independently by cybersecurity firm CrowdStrike, showed the first evidence of threat activity was on July 2, 2024. According to the report, the hackers used a 'non-state of Rhode Island non-privileged account' to gain remote access RIBridges' virtual private network (VPN). Brian Tardiff, the state's chief digital officer, explained that it was a Deloitte representative's username and password that was used. Deloitte is the company contracted by the state to manage RIBridges, the state's online portal for obtaining social services like SNAP and Medicaid benefits, as well as health insurance through HealthSourceRI. 'CrowdStrike was unable to determine how the Threat Actor gained access to the credentials used to authenticate to the VPN or if multifactor authentication (MFA) was bypassed,' the report said. From then until late November, the hackers browsed and extracted information from 28 systems within RIBridges, which included the personal data of roughly 644,000 users. Social Security databases exposed in RI cyberattack; hackers sought $23M ransom Gov. Dan McKee and other state officials first disclosed the cyberattack on Dec. 13. State officials encouraged potential victims to take steps to prevent identity theft, such as strengthening their passwords and freezing and monitoring their credit. The system was brought back online in January after extensive testing was done by Deloitte, the company that manages it, and a third-party assessor. Visit to learn more. This story is being updated. Check back for more details. Download the and apps to get breaking news and weather alerts. Watch or with the new . Follow us on social media: Close Thanks for signing up! Watch for us in your inbox. Subscribe Now Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Yahoo
14-05-2025
- Business
- Yahoo
Rhode Island's IT department wants a fresh install of 15 full-time roles
Rhode Island Department of Administration Director Jonathan Womer, left, and Chief Digital Officer Brian Tardiff testify before the Senate Committee on Finance on Tuesday, May 13, 2025. (Photo by Alexander Castro/Rhode Island Current) More than half of Rhode Island state government's IT workforce are contractors, Department of Administration (DOA) Director Jonathan Womer told the Senate Committee on Finance during a hearing on Tuesday afternoon. 'That's not an ideal situation,' Womer said. Now Rhode Island's state IT department thinks it's time for a little spring cleaning: It's asking the General Assembly to approve 15 new full-time hires for fiscal year 2026 to replace contractors with in-house talent. Womer appeared before the Senate committee to testify on budget amendment #10 from Gov. Dan McKee that would add the 15 positions to the DOA's technology arm, the Division of Enterprise Technology Strategy and Services (ETSS). The request is budget-neutral, Womer said, as an internal service fund would subsidize the new hires. Rather than draw from general revenue, the Information Technology Internal Service Fund grows from billing other state agencies for IT services they use. A complementary budget amendment #9 details how state agencies are charged for enterprise technology, with leftover project funds going into a restricted receipt account. 'We're not asking for any more money for this,' Womer said. 'We're going to make sure absolutely that this pays for itself.' Womer added his agency looked inward when servers holding the state's public benefits eligibility system were breached last December, compromising and leaking the personal information of an estimated 657,000 Rhode Islanders. The system, RIBridges, was built and continues to be maintained by state contractor Deloitte, which never sent a representative to any of McKee's numerous press conferences about the breach. 'One of the many things we did when we looked at the RIBridges incident was take a look at institutional and strategic things that we could change to make our IT system stronger,' Womer said, 'and one of those we looked at pretty heavily is making more of our IT personnel state employees.' Brian Tardiff, the state's chief digital officer and head of the enterprise technology division, testified beside Womer, describing an IT agency whose reliance on contractors goes well beyond the spectacular example of the RIBridges breach. There are 382 IT personnel who work for the state right now, Tardiff said. Of the 193 contractors, only 40 are working short-term assignments that will end when their contracts do. The remaining 153 workers provide daily operational support — something the state wants to bring in-house. We're not asking for any more money for this. We're going to make sure absolutely that this pays for itself. Department of Administration (DOA) Director Jonathan Womer 'The remaining balance is on full time to support normal IT operations in critical leadership roles and critical functional areas,' Tardiff said. 'Compounding our challenge, within the next 48 months, we're looking at a 33% attrition rate through retirement of the workforce.' That's why the state needs 'the agility to produce job classifications that represent a modern workforce,' Tardiff said. McKee's budget amendment would achieve that by stripping away some usual formalities involved in the state hiring process, including public hearings and other rounds of approval needed to change job classifications and pay scales. Womer explained that revising a job description can take up to nine months. 'Sometimes nine months in the IT world, things have changed completely,' Womer said. Topping Tardiff's wishlist for his department are an RIBridges technical lead, a security analyst, and project delivery management to improve coordination of major IT initiatives across agencies. Tardiff told lawmakers the average cost of a contractor is $260,000 to $280,000 per year, while the proposed full-time staff would cost around $240,000, including benefits. Ideally, some contractors could be brought in-house, which would also enlarge the state's pension fund, Tardiff said. Sen. Susan Sosnowski called the pivot from contracted labor 'refreshing.' 'Sometimes I feel like it's a sense of déjà vu, because I could remember years ago in the Finance Committee, how we were told it was the best thing to have contractors and so forth versus employees,' Sosnowksi said. Freshman Cranston Democratic Sen. Lammis Vargas was so eager to ask about the 15 IT hires that she mistakenly directed her question at the afternoon's first presenter Richard Charest, head of the Executive Office of Health and Human Services. Charest answered anyway: 'I'd love to have 15 FTEs,' he said with a smile, drawing laughter from the audience and committee alike. Once Tardiff and Womer sat down, Vargas picked up where she left off, and questioned Tardiff about high turnover in the department. Only 172 of 189 state IT positions are filled, Tardiff said, and despite actively recruiting for eight more hires, turnover is constant, with the number of vacant slots mercurial. 'That number fluctuates almost monthly,' Tardiff said. 'Last month it was five. I had three personnel retire this month. So now it's eight.' 'Might be tough for you to answer, but how long do you foresee filling these in?' Vargas asked. 'There's always going to be five or six [vacancies] for that volume of personnel,' Womer replied. 'We'll have that number of vacancies at any given point in time…We thought we could successfully do 15 in the next fiscal year, which is the reason we only asked for 15.' Vargas was also concerned that the request is not genuinely cost neutral. 'With the contractors, we're not paying health insurance,' Vargas said. Womer acknowledged there might be individual differences in pay rates for individual contractors, adding retention over time could complicate compensation for future years. But he was firm that the measure will pay for itself. Chair Lou DiPalma replied playfully to Vargas, 'Senator, we're not giving them any more money.' SUBSCRIBE: GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX
Yahoo
13-02-2025
- Business
- Yahoo
R.I. House bill would expand notification obligations after data breach
Shown is a sample of the free credit monitoring letter that went out to customers affected by the RIBridges data breach. (Photo by Alexander Castro/Rhode Island Current) Nearly two months after state officials disclosed a colossal breach of Rhode Island's public benefits portal and health insurance marketplace, a state rep is trying to strengthen laws surrounding data leaks of people's private information. 'We need to do something for data breaches. It's just getting ridiculous,' Rep. Robert Phillips, a Woonsocket Democrat, said Tuesday during a meeting of the Rhode Island House Committee on Innovation, Internet and Technology. Phillips was testifying on his bill H5301, which would change the Identity Theft Protection Act Of 2015. The identity protection act was last modified in 2023 and regulates how state agencies, or other entities that hold onto people's personal information, are supposed to respond in the event of a data breach. The most recent example is the December 2024 RIBridges breach which is believed to have exposed the personal information of over 650,000 Rhode Islanders. Under the current law, data breaches that affect 500 or more people require the impacted agency to notify the Rhode Island Attorney General. Phillips' bill would eliminate that threshold and require all breaches to be reported to both the Attorney General and the Department of Business Regulations (DBR). It would also make 'any agency, entity, or any other person that maintains or stores, but does not own or license, data,' subject to notification requirements. That could include entities like Deloitte, the system vendor and architect for RIBridges. The General Assembly last updated the data breach laws in 2023, the same year the Rhode Island Public Transit Authority (RIPTA) found itself embroiled in a legal battle over a 2021 employee data breach. The legislature decided to create different notification periods for businesses versus government agencies. Lenette Forry-Menard, a lobbyist and attorney with Champion Advocacy Associates, testified on behalf of the Northern Rhode Island Chamber of Commerce. During the 2023 update of the Identity Protection act, legislators decided that public entities had to notify the Attorney General of a breach in 30 days, down from 45 days. The notification window for businesses stayed at 45 days. The lobbyist said Phillips' bill is 'unclear' as to whether businesses would still be subject to the 45-day limit to notify state authorities, or if the notification timespan would be shorter. Forry-Menard argued changing the language surrounding a breach's severity of risk might be problematic, as it could make it tricky for businesses to determine what needs to be reported to the state. Forry-Menard gave an example: 'I'm a remote worker, so I have my computer at home. I'm working on it. I may get up and go to the restroom, and my husband, who's around sometimes, may walk through the office. Technically, under the letter of the law, if you take out the language that's there right now about the significant risk, I should have to notify the attorney general, or under this bill, DBR, that I may have been breached. I don't think anybody wants that.' Director of the Department of Administration Jonathan Womer also submitted written testimony on the bill. 'The Department has a great appreciation for the importance of this statute, particularly in light of the recent RIBridges data breach, but would like to raise a few operational concerns with the proposed amendments,' Womer wrote. The director took issue with the proposal's prescription that a breach victim ''cooperate with the owner or licensor' of compromised information…There is no definition of 'cooperate,' which makes this requirement ambiguous and open-ended,' Womer wrote. 'This requirement will likely generate unnecessary confusion for impacted individuals about what they are entitled to from an entity that holds their data.' As written, the bill could also create administrative burden and delay the existing notification process, Womer wrote. Phillips' bill was held for further study, as is standard on a piece of legislation's first introduction. He told the committee he's willing to edit the bill and incorporate feedback from stakeholders. SUPPORT: YOU MAKE OUR WORK POSSIBLE
Yahoo
04-02-2025
- Business
- Yahoo
Deloitte pays $5 million to Rhode Island to cover costs of RIBridges data breach
A sample of the free credit monitoring letter that went out to customers affected by the RIBridges data breach is seen curling on a windowsill. The credit monitoring is being paid for by system vendor Deloitte, and Rhode Island Gov. Dan McKee's office announced Tuesday that the firm will also pay for $5 million in additional costs incurred since the December data breach. (Photo by Alexander Castro/Rhode Island Current) The consulting firm that built and manages RIBridges has paid $5 million to the state of Rhode Island for expenses associated with the December data breach of the public benefits and health insurance system. 'Deloitte has recognized that the state has immediate and unexpected expenses related to the breach, and we appreciate their willingness to lend financial support,' McKee said in a statement Tuesday. A breakdown of the $5 million payment was not immediately available on Tuesday afternoon. Part of the cash will cover expenses incurred as a result of directly enrolling roughly 2,000 customers with Blue Cross & Blue Shield of Rhode Island and Neighborhood Health Plan of Rhode Island for the months of January and February, after the shutdown of HealthSource RI, the state's health insurance marketplace, McKee's office said The temporary direct enrollment program was offered to connect customers directly to insurers if they needed coverage immediately for January and February. The HealthSource marketplace, along with the rest of the RIBridges network which includes programs like food stamps and certain home care services, was shut down after the breach's confirmation on Dec. 13, 2024. 'HealthSource RI worked with insurance providers to offer customers who needed active coverage starting the 1st of the year to enroll directly with Neighborhood Health Plan of Rhode Island and Blue Cross Blue Shield of Rhode Island,' according to the press release. At least part of the $5 million is meant to cover the costs for these customers. Gov. Dan McKee's office announced the payment Tuesday, after postponing a morning briefing for reporters on the topic of RIBridges. No new date and time for the press conference were announced. McKee spokesperson Olivia DaRocha said in an email that an advisory would be sent ahead of time once a new date and time are set. A Deloitte spokesperson did not immediately respond to requests for comment. Deloitte has paid an unspecified amount for credit monitoring and identity protection services for people potentially affected by the breach, a number estimated to be around 657,000. That number was determined during an ongoing forensic analysis of the breach, by examining which parts of the network had been affected by the cybercriminals, state officials said in January. Globally, Deloitte made $67.2 billion in its fiscal year 2024, of which $33 billion came from the U.S. State relaunches RIBridges portal, one phase at a time In the meantime, the RIBridges system's customer-facing portal is largely back online. After system access was restored for state employees and other backend workers in early January, staggered waves of customers began to receive password reset emails after Jan. 23. The emails do not include links to reduce suspicion of phishing attempts. After receiving instructions on how to reset their passwords, customers can log on once more to the RIBridges portal and access their data and apply for benefits. A popup message on the site Tuesday states new user sign ups are available again as well. SUBSCRIBE: GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX
