The Pennsylvania OAG suffered a **ransomware attack** by the **Inc Ransom group**, leading to a **data breach** where **5.7 TB of sensitive data** was allegedly stolen, including **personal information (names, Social Security numbers, medical records)** from investigative units and Cellebrite software usage details. The attack disrupted **websites, emails, and phone lines for three weeks**, though no ransom was paid. The breach involved exploitation of the **CitrixBleed2 vulnerability (Citrix Netscaler)**, granting hackers access to internal networks. While the OAG claims **no evidence of misuse**, ransomware groups typically leak or sell stolen data in cybercriminal circles. The full scope of affected individuals remains unclear, but the breach exposed highly sensitive government and citizen data, posing risks of identity theft, fraud, and operational disruptions.
Pennsylvania Office of Attorney General cybersecurity rating report: https://www.rankiteo.com/company/pennsylvania-office-of-attorney-general
"id": "PEN2492824111825",
"linkid": "pennsylvania-office-of-attorney-general",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'law enforcement / legal',
'location': 'Pennsylvania, USA',
'name': 'Pennsylvania Office of the Attorney General '
'(OAG)',
'type': 'government agency'}],
'attack_vector': 'Exploitation of CitrixBleed2 vulnerability in Citrix '
'Netscaler',
'customer_advisories': 'Data incident notice published (2023-09, exact date '
'unclear)',
'data_breach': {'data_encryption': 'yes (file-encrypting malware deployed)',
'data_exfiltration': 'yes (5.7 TB claimed by threat actor)',
'personally_identifiable_information': 'yes (names, Social '
'Security numbers, '
'medical information)',
'sensitivity_of_data': 'high (SSNs, medical records, law '
'enforcement investigative data)',
'type_of_data_compromised': ['personal identifiable '
'information (PII)',
'investigative files',
'law enforcement software data '
'(Cellebrite)']},
'date_detected': '2023-08',
'date_publicly_disclosed': '2023-08',
'description': 'The Pennsylvania Office of the Attorney General (OAG) '
'suffered a ransomware attack in 2023, leading to a data '
'breach where 5.7 TB of data was allegedly stolen by the Inc '
"Ransom group. The attack disrupted the OAG's website, email "
'accounts, and phone lines for approximately three weeks. '
'Personal information, including names, Social Security '
'numbers, and medical records, was potentially accessed. The '
'OAG confirmed no ransom was paid, and the attack was likely '
'conducted via exploitation of the CitrixBleed2 vulnerability '
'in Citrix Netscaler.',
'impact': {'brand_reputation_impact': 'high (public disclosure of breach, '
'potential misuse of sensitive data)',
'data_compromised': ['personal information (names, SSNs, medical '
'records)',
'investigative unit files',
'Cellebrite software usage details'],
'downtime': '3 weeks',
'identity_theft_risk': 'high (SSNs and medical data exposed)',
'operational_impact': 'severe disruption to services (website, '
'email, phone lines)',
'systems_affected': ['website',
'email accounts',
'phone lines',
'internal network']},
'initial_access_broker': {'data_sold_on_dark_web': 'claimed by Inc Ransom '
'group (5.7 TB)',
'entry_point': 'Citrix Netscaler vulnerability '
'(CitrixBleed2)',
'high_value_targets': ['investigative unit files',
'Cellebrite software data']},
'investigation_status': 'ongoing (potential access confirmed, but no evidence '
'of misuse)',
'motivation': ['financial gain', 'data theft', 'disruption'],
'post_incident_analysis': {'root_causes': 'exploitation of unpatched '
'CitrixBleed2 vulnerability in '
'Citrix Netscaler'},
'ransomware': {'data_encryption': 'yes',
'data_exfiltration': 'yes (5.7 TB claimed)',
'ransom_paid': 'no'},
'references': [{'source': 'Pennsylvania OAG Data Incident Notice'},
{'date_accessed': '2023-09',
'source': "Kevin Beaumont's report on CitrixBleed2 "
'exploitation'},
{'date_accessed': '2023-09-21',
'source': "Inc Ransom group's claim on dark web"}],
'response': {'communication_strategy': 'public disclosure via data incident '
'notice',
'incident_response_plan_activated': 'yes (investigation '
'conducted)',
'recovery_measures': 'restoration of website, email, and phone '
'services after ~3 weeks'},
'threat_actor': 'Inc Ransom group',
'title': 'Pennsylvania Office of the Attorney General Ransomware Attack and '
'Data Breach',
'type': ['ransomware', 'data breach'],
'vulnerability_exploited': 'CitrixBleed2 (CVE unknown, related to Citrix '
'Netscaler)'}