The Pennsylvania Office of the Attorney General (OAG) suffered a **ransomware attack** in **August 2025**, attributed to the **Inc Ransom group**, resulting in a confirmed **data breach**. The attack disrupted the OAG’s **website, email, and phone systems for three weeks**, while the threat actors claimed to have stolen **5.7 TB of sensitive data**, including files from critical divisions such as **Criminal Investigations, Medicaid Fraud, Child Predator Section, Bureau of Narcotics, and FBI-related internal network access**. The breach exposed **personal information** of individuals, including **names, Social Security numbers, and medical records**, though the OAG stated there was **no evidence of misuse**. The **Inc Ransom group** publicly took responsibility, asserting they had compromised **highly sensitive law enforcement data**, including **executive office files, investigative bureaus, and templates related to high-profile cases**. The initial access was linked to the exploitation of the **CitrixBleed2 vulnerability (CVE-2023-4966)** in Citrix NetScaler. The OAG established a **toll-free helpline** for affected individuals but did not disclose the full scope of the breach or the number of victims.
Pennsylvania Office of Attorney General cybersecurity rating report: https://www.rankiteo.com/company/pennsylvania-office-of-attorney-general
"id": "PEN4902049111925",
"linkid": "pennsylvania-office-of-attorney-general",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'public administration / legal services',
'location': 'Harrisburg, Pennsylvania, USA',
'name': 'Pennsylvania Office of the Attorney General '
'(OAG)',
'type': 'government agency (law enforcement)'}],
'attack_vector': ['exploitation of CitrixBleed2 vulnerability (Citrix '
'NetScaler)',
'ransomware deployment'],
'customer_advisories': ['media notice acknowledging breach but no specific '
'guidance beyond call center'],
'data_breach': {'data_encryption': ['likely (ransomware attack implies '
'encryption)',
'exfiltration confirmed'],
'data_exfiltration': True,
'file_types_exposed': ['documents',
'investigative files',
'databases',
'forensic software data'],
'personally_identifiable_information': ['names',
'Social Security '
'numbers',
'medical information'],
'sensitivity_of_data': 'high (includes SSNs, medical info, '
'and law enforcement data)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'law enforcement investigative '
'data',
'medical records',
'financial crimes data',
'internal documents (Word '
'Templates)',
'forensic software data '
'(Celebrite)']},
'date_detected': '2025-08-01',
'date_publicly_disclosed': '2025-11-18',
'description': 'The Pennsylvania Office of the Attorney General (OAG) '
'confirmed a data breach following a ransomware attack '
'attributed to the Inc Ransom group. The attack occurred in '
"August 2025, disrupting the OAG's website, email, and phone "
'systems for about three weeks. The extortion group claimed '
'responsibility on September 21, 2025, and asserted the theft '
'of 5.7 TB of sensitive data, including personal information '
'such as names, Social Security numbers, and medical records. '
"The group also claimed access to the FBI's internal network, "
'though this was not confirmed by OAG. The OAG set up a '
'toll-free call center to assist affected individuals and '
'confirmed no evidence of misuse of the compromised data. The '
'attack was linked to the exploitation of the Citrix NetScaler '
'vulnerability known as CitrixBleed2.',
'impact': {'brand_reputation_impact': ['potential loss of public trust in '
"OAG's cybersecurity posture",
'media coverage of breach and FBI '
'access claims'],
'data_compromised': ['names',
'Social Security numbers',
'medical information',
'5.7 TB of sensitive data (including '
'Executive Office files, Criminal '
'Investigations, Financial Crimes, Medicaid '
'Fraud, Child Predator Section, Environmental '
'Crimes, Retail Theft, Special Operations, '
'Bureau of Narcotics, Word Templates, '
'Celebrite software data)'],
'downtime': '3 weeks (approximately)',
'identity_theft_risk': ['high (due to exposure of SSNs and medical '
'data)'],
'operational_impact': ['disruption of public-facing services '
'(website, email, phone)',
'potential compromise of law enforcement '
'and investigative data'],
'systems_affected': ['website', 'email systems', 'phone systems']},
'initial_access_broker': {'data_sold_on_dark_web': ['claimed by Inc Ransom '
'(5.7 TB data leak '
'advertised)'],
'entry_point': 'Citrix NetScaler vulnerability '
'(CitrixBleed2)',
'high_value_targets': ['law enforcement data',
'FBI internal network '
'(claimed but unconfirmed)',
'medical and financial '
'records']},
'investigation_status': 'ongoing (as of November 2025; no evidence of data '
'misuse found)',
'motivation': ['financial gain (extortion)', 'data theft', 'disruption'],
'post_incident_analysis': {'root_causes': ['unpatched Citrix NetScaler '
'vulnerability (CitrixBleed2)',
'potential lack of network '
'segmentation or lateral movement '
'controls']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Inc Ransom (group name; specific strain '
'unnamed)'},
'references': [{'date_accessed': '2025-11-18',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com/154546/data-breach/pennsylvania-oag-data-breach.html'},
{'date_accessed': '2025-09-21',
'source': 'Inc Ransom group (dark web leak site)'},
{'date_accessed': '2025-09',
'source': 'Kevin Beaumont (cybersecurity researcher)'}],
'response': {'communication_strategy': ['public media notice',
'toll-free call center for support'],
'incident_response_plan_activated': True,
'recovery_measures': ['restoration of website, email, and phone '
'systems after ~3 weeks'],
'remediation_measures': ['setup of toll-free call center for '
'affected individuals '
'(1-833-353-8060)']},
'stakeholder_advisories': ['toll-free call center for affected individuals'],
'threat_actor': 'Inc Ransom group',
'title': 'Pennsylvania Office of the Attorney General (OAG) confirms data '
'breach after August ransomware attack by Inc Ransom group',
'type': ['data breach', 'ransomware attack'],
'vulnerability_exploited': 'CitrixBleed2 (CVE not explicitly mentioned but '
'inferred as Citrix NetScaler vulnerability)'}