Deloitte Faces Class Action Over Massive Rhode Island RIBridges Data Breach | Image Source: Media.deloitte.com
PROVIDENCE, R.I., December 16, 2024 – Deloitte Consulting LLP is facing a federal request for class action following a major cyberattack that has compromised the sensitive personal data of thousands of Rhode Island residents who receive government administered benefits. The non-compliance, which affected the RiBridges system managed by Deloitte, highlighted the social security numbers, bank information and other identifiable personal information of individuals who are dependent on the Supplementary Food Aid Program (SFP), the Child Care Assistance Program (CPAP) and other public services.
According to the complaint filed in the United States District Court for the South District of New York, Deloitte failed to take reasonable security measures to protect the RIBridges system. The signature reported the violation on 5 December 2024, but delayed notification to Rhode Island officials until 13 December. The data included unencrypted documents containing the names, addresses, dates of birth and financial details of residents, making thousands of people vulnerable to identity theft and fraud. At a press conference on 14 December, Rhode Island Governor Dan McKee revealed that hundreds of thousands of residents could be affected by the attack.
Cyber attack details
The RIBridges system, launched in 2016 as a centralized eligibility platform for social programs, is at the heart of the dispute. According to the Rhode Island Department of Human Services (DHS), Deloitte reported the presence of malicious code in the system on December 13. The rape was attributed to the Ransomware group known as Cifero Brain, which at the beginning of this month claimed responsibility. The number brain apparently infiltrated a terabyte of data and threatened to release it unless a ransom was paid. Deloitte has not yet confirmed whether rescue negotiations are under way.
“As we learned that a state system supported by Deloitte had been attacked by an international group of cyber criminals, we launched an investigation in collaboration with our clients and law enforcement officials,” Deloitte said BleepingComputer. The RIBridges portal was used to prevent further data loss, which disrupted online access for beneficiaries. Applicants and recipients of state programs, including Medicaid and HealthSource RI, were forced to rely on paper applications and extended office hours to access their benefits.
Prosecution of negligence
The application for a class action, directed by the applicant Patricia Mahoney, a beneficiary of the SNAP in Rhode Island, accused Deloitte of negligence, breach of implied contract and unjust enrichment. The complaint states that Deloitte failed to properly secure its systems, monitor vulnerabilities or notify affected individuals in a timely manner. Mahoney seeks compensation for procedural costs and court security improvements, including annual audits and monitoring of the life credit of the individuals concerned.
“The gaps in the data have a huge emotional and financial impact on those affected, which disrupts their lives, stresses them and exposes them to the risk of identity theft,” said counsel Peter N. Wasylyk, who represents the complainants. This incident is just another example of the critical need for entities to take firm action to protect this sensitive personal information
Government Response and Recommendations
In response to this violation, Rhode Island officials urged residents to take protective measures, including credit freezes, bank fraud alerts and online password changes. The state has established a dedicated call centre and launched a website to help affected people. Staff are also working to process benefits manually, and field offices are extending their hours to mitigate delays.
Governor McKee acknowledged the seriousness of the situation in a series of press conferences, saying: “We know this is alarming and stressful. State officials work tirelessly to ensure that the people concerned receive the support they need. Despite these efforts, McKee noted that the state remains at the mercy of cyber criminals, noting that “we do not control whether and when cyber criminals will make this information public”
Wider consequences for Deloitte
This incident is not Deloitte’s first challenge with the RIBridges system. Originally developed as a unified health infrastructure project, the platform has experienced years of operational problems and legal control. The current gap has renewed its concern for platform security and the management of sensitive state data. State Senator Lou DiPalma criticized the situation as ”a moment of all hands on the bridge,” calling for immediate revisions of encryption standards and security protocols in all state systems.
“Was the data encrypted?” DiPalma questions the protection of the identity of the Rhode Island Act 2015, which imposes minimum encryption standards for stored PVIs. According to Infosecurity, Deloitte and government officials have not yet confirmed whether the data submitted meet these requirements.
Ransomware and further research
Ransomware attacks have become more and more frequent between government entities and private companies, the Cipher Brain appearing as an important player in recent large-scale violations. Deloitte’s global operations and its management of sensitive state contracts make it a major goal for cyber criminals. Security experts argue that full codification, protection of checkpoints and periodic vulnerability assessments are essential to prevent such incidents.
Law enforcement, including the FBI, are helping Rhode Island investigate rape. Deloitte continues to face increasing control. “We will continue to work all the time to solve this problem,” said Karen Walsh, spokesman for Deloitte in a statement. However, the complainants in the collective claim argue that Deloitte’s delays and lack of transparency aggravated the injury caused by the violation.
The scope of the violation remains uncertain, as the investigation of the incident is ongoing. Meanwhile, public officials are working to complete a long recovery process, including the rehabilitation of the system and the review of legislation to prevent similar violations in the future.
For the time being, people on Rhode Island are waiting for answers and support as the fall of this important data gap continues to unfold.
About The Author
