The Pennsylvania Office of the Attorney General (OAG) suffered a ransomware attack in August 2025, attributed to the Inc Ransom group, resulting in a confirmed data breach. The attack disrupted the OAG’s website, email, and phone systems for three weeks, while the threat actors claimed to have stolen 5.7 TB of sensitive data, including files from critical divisions such as Criminal Investigations, Medicaid Fraud, Child Predator Section, Bureau of Narcotics, and FBI-related internal network access. The breach exposed personal information of individuals, including names, Social Security numbers, and medical records, though the OAG stated there was no evidence of misuse. The Inc Ransom group publicly took responsibility, asserting they had compromised highly sensitive law enforcement data, including executive office files, investigative bureaus, and templates related to high-profile cases. The initial access was linked to the exploitation of the CitrixBleed2 vulnerability (CVE-2023-4966) in Citrix NetScaler. The OAG established a toll-free helpline for affected individuals but did not disclose the full scope of the breach or the number of victims.
Pennsylvania Office of Attorney General cybersecurity rating report: https://www.rankiteo.com/company/pennsylvania-office-of-attorney-general
"id": "PEN4902049111925",
"linkid": "pennsylvania-office-of-attorney-general",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'public administration / legal services',
'location': 'Harrisburg, Pennsylvania, USA',
'name': 'Pennsylvania Office of the Attorney General '
'(OAG)',
'type': 'government agency (law enforcement)'}],
'attack_vector': ['exploitation of CitrixBleed2 vulnerability (Citrix '
'NetScaler)',
'ransomware deployment'],
'customer_advisories': ['media notice acknowledging breach but no specific '
'guidance beyond call center'],
'data_breach': {'data_encryption': ['likely (ransomware attack implies '
'encryption)',
'exfiltration confirmed'],
'data_exfiltration': True,
'file_types_exposed': ['documents',
'investigative files',
'databases',
'forensic software data'],
'personally_identifiable_information': ['names',
'Social Security '
'numbers',
'medical information'],
'sensitivity_of_data': 'high (includes SSNs, medical info, '
'and law enforcement data)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'law enforcement investigative '
'data',
'medical records',
'financial crimes data',
'internal documents (Word '
'Templates)',
'forensic software data '
'(Celebrite)']},
'date_detected': '2025-08-01',
'date_publicly_disclosed': '2025-11-18',
'description': 'The Pennsylvania Office of the Attorney General (OAG) '
'confirmed a data breach following a ransomware attack '
'attributed to the Inc Ransom group. The attack occurred in '
"August 2025, disrupting the OAG's website, email, and phone "
'systems for about three weeks. The extortion group claimed '
'responsibility on September 21, 2025, and asserted the theft '
'of 5.7 TB of sensitive data, including personal information '
'such as names, Social Security numbers, and medical records. '
"The group also claimed access to the FBI's internal network, "
'though this was not confirmed by OAG. The OAG set up a '
'toll-free call center to assist affected individuals and '
'confirmed no evidence of misuse of the compromised data. The '
'attack was linked to the exploitation of the Citrix NetScaler '
'vulnerability known as CitrixBleed2.',
'impact': {'brand_reputation_impact': ['potential loss of public trust in '
"OAG's cybersecurity posture",
'media coverage of breach and FBI '
'access claims'],
'data_compromised': ['names',
'Social Security numbers',
'medical information',
'5.7 TB of sensitive data (including '
'Executive Office files, Criminal '
'Investigations, Financial Crimes, Medicaid '
'Fraud, Child Predator Section, Environmental '
'Crimes, Retail Theft, Special Operations, '
'Bureau of Narcotics, Word Templates, '
'Celebrite software data)'],
'downtime': '3 weeks (approximately)',
'identity_theft_risk': ['high (due to exposure of SSNs and medical '
'data)'],
'operational_impact': ['disruption of public-facing services '
'(website, email, phone)',
'potential compromise of law enforcement '
'and investigative data'],
'systems_affected': ['website', 'email systems', 'phone systems']},
'initial_access_broker': {'data_sold_on_dark_web': ['claimed by Inc Ransom '
'(5.7 TB data leak '
'advertised)'],
'entry_point': 'Citrix NetScaler vulnerability '
'(CitrixBleed2)',
'high_value_targets': ['law enforcement data',
'FBI internal network '
'(claimed but unconfirmed)',
'medical and financial '
'records']},
'investigation_status': 'ongoing (as of November 2025; no evidence of data '
'misuse found)',
'motivation': ['financial gain (extortion)', 'data theft', 'disruption'],
'post_incident_analysis': {'root_causes': ['unpatched Citrix NetScaler '
'vulnerability (CitrixBleed2)',
'potential lack of network '
'segmentation or lateral movement '
'controls']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Inc Ransom (group name; specific strain '
'unnamed)'},
'references': [{'date_accessed': '2025-11-18',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com/154546/data-breach/pennsylvania-oag-data-breach.html'},
{'date_accessed': '2025-09-21',
'source': 'Inc Ransom group (dark web leak site)'},
{'date_accessed': '2025-09',
'source': 'Kevin Beaumont (cybersecurity researcher)'}],
'response': {'communication_strategy': ['public media notice',
'toll-free call center for support'],
'incident_response_plan_activated': True,
'recovery_measures': ['restoration of website, email, and phone '
'systems after ~3 weeks'],
'remediation_measures': ['setup of toll-free call center for '
'affected individuals '
'(1-833-353-8060)']},
'stakeholder_advisories': ['toll-free call center for affected individuals'],
'threat_actor': 'Inc Ransom group',
'title': 'Pennsylvania Office of the Attorney General (OAG) confirms data '
'breach after August ransomware attack by Inc Ransom group',
'type': ['data breach', 'ransomware attack'],
'vulnerability_exploited': 'CitrixBleed2 (CVE not explicitly mentioned but '
'inferred as Citrix NetScaler vulnerability)'}