Rhode Island’s RIBridges, a unified public benefits administration platform managed by Deloitte, suffered a massive data breach in July 2024, disclosed in January 2025. The Brain Cipher threat group exploited stolen Deloitte employee credentials to infiltrate the system undetected for months, exfiltrating sensitive data of ~650,000 individuals one of the state’s largest breaches. Compromised data included PII (names, SSNs, driver’s licenses, financial/address details, dates of birth, email/phone numbers) and PHI (health/medical records). Some victims were indirectly affected via federal verification processes. The breach forced a month-long system shutdown, a $6.3M class-action settlement, and mandated credit monitoring for victims. Deloitte and CrowdStrike led remediation, but the incident exposed critical vulnerabilities in third-party vendor security, risking identity theft, financial fraud, and long-term reputational harm to both RIBridges and Deloitte.
Source: https://www.claimdepot.com/data-breach/ribridges-2025
TPRM report: https://www.rankiteo.com/company/offensivesecurity
"id": "off1462414102725",
"linkid": "offensivesecurity",
"type": "Cyber Attack",
"date": "7/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '650,000 individuals',
'industry': 'public benefits administration',
'location': 'Rhode Island, USA',
'name': 'RIBridges',
'type': 'government technology platform'},
{'industry': 'consulting/technology services',
'name': 'Deloitte',
'type': 'private contractor'}],
'attack_vector': ['stolen credentials', 'advanced persistent threat (APT)'],
'customer_advisories': ['Monitor for suspicious activity',
'Consider fraud alerts/credit freezes',
'Report potential identity theft'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '650,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs, financial, and '
'health data)',
'type_of_data_compromised': ['PII (names, SSNs, driver’s '
'license numbers, contact '
'details)',
'PHI (medical/health records)',
'financial data (account '
'numbers, banking information)']},
'date_detected': '2024-12',
'date_publicly_disclosed': '2025-01-14',
'description': 'RIBridges, Rhode Island’s unified technology platform for '
'administering public benefits, experienced a significant data '
'breach impacting approximately 650,000 individuals. The '
'breach occurred when the Brain Cipher threat group exploited '
'credentials belonging to a Deloitte employee, gaining '
'unauthorized access to the RIBridges system in July 2024. The '
'attack went undetected for months and was discovered after '
'hackers posted stolen data on a leak site in December 2024. '
'Sensitive PII and PHI were exposed, including names, Social '
'Security numbers, financial data, health records, and more. '
'Some affected individuals had never directly used RIBridges '
'but were included due to federal verification processes.',
'impact': {'brand_reputation_impact': 'Significant (one of the largest '
'breaches in Rhode Island history)',
'data_compromised': ['names',
'Social Security numbers',
'account numbers',
'addresses',
'banking/financial information',
'dates of birth',
'driver’s license numbers',
'email addresses',
'phone numbers',
'health/medical information',
'personally identifiable information (PII)',
'protected health information (PHI)'],
'downtime': '~1 month (system taken offline for containment)',
'financial_loss': '$6.3 million (settlement)',
'identity_theft_risk': 'High (PII and financial data exposed)',
'legal_liabilities': '$6.3 million class action settlement',
'operational_impact': 'System offline for containment and '
'assessment; phased relaunch with improved '
'protections',
'payment_information_risk': 'High (banking/financial information '
'exposed)',
'systems_affected': ['RIBridges platform']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Compromised Deloitte employee '
'credentials',
'high_value_targets': ['RIBridges system',
'PII/PHI databases'],
'reconnaissance_period': 'July 2024 to December '
'2024 (undetected for ~5 '
'months)'},
'investigation_status': 'Completed (with CrowdStrike’s assistance)',
'post_incident_analysis': {'corrective_actions': ['Strengthened security '
'protocols',
'Additional safeguards '
'implemented',
'Phased relaunch with '
'improved protections',
'Third-party cybersecurity '
'investigation '
'(CrowdStrike)'],
'root_causes': ['Compromised credentials (Deloitte '
'employee)',
'Delayed detection (breach '
'undetected for months)',
'Inadequate monitoring for '
'unauthorized access']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Monitor financial accounts and credit reports',
'Place fraud alerts or credit freezes',
'Strengthen credential security and access controls',
'Implement continuous monitoring for unauthorized access'],
'references': [{'source': 'Rhode Island Attorney General’s Office'}],
'regulatory_compliance': {'legal_actions': ['$6.3 million class action '
'settlement'],
'regulatory_notifications': ['Rhode Island Attorney '
'General’s office']},
'response': {'communication_strategy': ['Disclosure to Rhode Island Attorney '
'General',
'Public advisory for affected '
'individuals',
'Encouragement to monitor '
'financial/credit accounts',
'Recommendations for fraud '
'alerts/credit freezes'],
'containment_measures': ['System taken offline',
'access revoked'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Phased relaunch of RIBridges with '
'improved protections'],
'remediation_measures': ['Security protocols strengthened',
'additional safeguards implemented'],
'third_party_assistance': ['CrowdStrike (cybersecurity '
'investigation)']},
'stakeholder_advisories': ['Public disclosure via Attorney General',
'Guidance for affected individuals on protective '
'measures'],
'threat_actor': 'Brain Cipher',
'title': 'RIBridges Data Breach Impacting 650,000 Individuals',
'type': ['data breach', 'unauthorized access', 'credential exploitation'],
'vulnerability_exploited': 'Compromised Deloitte employee credentials'}