Rhode Island officials said a ransomware group has begun to leak stolen information from a state social services database following a December attack. 

In a Monday press conference, Rhode Island Gov. Daniel McKee said the state was informed by Deloitte, which manages the RIBridges program, that hackers had begun to release data on a dark web leak site. 

“The contents of those files are still being analyzed by experts,” McKee told reporters during the briefing. “Identifying what is in those files is a complex process, but they’re working right now to make those identifications.”

RIBridges is a state program that administers several social services programs, including Medicaid, Temporary Assistance for Needy Families and other programs.  

Officials said in a late December briefing the attack impacted about 650,000 people, with a range of personally identifiable data being leaked. This included names, addresses, Social Security numbers, dates of birth and some personal banking information, according to state officials. 

A threat group called Brain Cipher previously claimed credit for the attack, which was disclosed Dec. 5. The group has been active since June 2024 and leverages the LockBit 3.0 payload for their ransomware payloads, SentinelOne previously told Cybersecurity Dive.

The group often uses phishing campaigns to gain initial access to targeted organizations, thus tricking users into downloading malicious files, according to Jon Miller, co-founder and CEO of Halcyon. 

“Once inside, they leverage tools and exploits to move laterally across networks, frequently targeting Windows domain administrator credentials to maximize their reach,” Miller said via email.

Researchers from Sophos confirmed Brain Cipher posted detailed information on a leak site claiming credit for the RIBridges database incident.

McKee said Deloitte has been in contact with the threat group, which had threatened to leak data if its demands were not met. The state told Deloitte it expects the firm to bear the cost of out of pocket expenses related to responding to the incident. 

Recovery efforts

The state is in the process of a multistage restoration process and hopes to have the database back online starting in mid-January. 

Officials previously warned residents to be mindful of potential fraud due to the leaked credentials and urged them to check their credit reports and employ multifactor authentication on their personal accounts. 

McKee said the state is working with Deloitte to identify the names of people impacted by the hack and will send consumer notification letters to them directly. Those letters will include information on how to set up credit monitoring. 

McKee emphasized in the Monday briefing that January payments for food assistance and cash benefits will show up on time. The state is also taking steps to make sure health insurance benefits are not disrupted by the attack.