[BreachExchange] RIPTA cyberattack obtained info on state workers with no ties to transit agency

Wed Dec 29 09:25:09 EST 2021

https://www.wpri.com/target-12/ripta-cyberattack-obtained-info-on-state-workers-with-no-ties-to-transit-agency/

PROVIDENCE, R.I. (WPRI) – A cyberattack on the R.I. Public Transit
Authority in August affected far more people than initially estimated,
including an undisclosed number of state workers without any affiliation
with the quasi-public agency.

Target 12 confirmed Tuesday that state employees – both current and retired
– have begun receiving letters from RIPTA, notifying them that suspected
criminals accessed files containing their personal information, which was
being held at the state’s public transit agency.

“This information included your name, Social Security number, and one or
more of the following: address, date of birth, Medicare identification
number and qualification information, health plan member identification
number and claims information,” RIPTA wrote in one letter dated Dec. 21
obtained by Target 12.

RIPTA senior executive officer Courtney Marciano said the affected files
contained information from the state’s health insurance billing plan, which
included the personal details of state workers outside of the agency. She
did not know immediately why RIPTA had the files to begin with, saying it
was from a provider who administered the plan “that is no longer active.”

Human resources information — such as health insurance material — is
typically maintained within the R.I. Department of Administration.

“That’s the million-dollar question,” Marciano said when asked why RIPTA
had that information, adding that letters were only sent out to individuals
whose personal information was in the files.

“I don’t believe there was anything erroneous or malicious going on,” she
said.

No passenger information was compromised, she added.

The revelation has already sparked outrage from the ACLU of Rhode Island,
which sent a letter to RIPTA demanding answers about why the agency had
that personal information. The advocacy group also criticized the agency
for providing “misleading information to the public about the hack.”

“People who have contacted us are even more deeply distressed by the fact
that RIPTA somehow had any of their personal information – much less their
personal health care information – in the first place, as they have no
connection at all with your agency,” Rhode Island ACLU executive director
Steven Brown wrote in the letter to RIPTA CEO Scott Avadisian.

Marciano said she did not know how many people were affected by the attack.
But the ACLU said it had received a letter from one person indicating the
total exceeded 17,700 people, which the group noted totaled roughly three
times more than the 5,000 people RIPTA initially disclosed earlier this
year.

Brown also questioned why it took the agency this long to start notifying
workers who were notified about the hack.

“The breach was identified on Aug. 5, but it was purportedly not until Oct.
28 — over two-and-a-half months later — that RIPTA identified the
individuals whose private information had been hacked, and it then took
almost two more months to notify those individuals,” Brown wrote.

In response to the letter, Marciano said the internal investigation that
looked into what information was accessed was “time and labor-intensive,
but RIPTA wanted to be certain what information was involved and to whom it
pertained.”

“We receive the letter from the ACLU and it’s under review,” she added.

In addition to the RIPTA notifications, DOA director Jim Thorsen sent a
separate letter to all employees within the state’s executive branch,
notifying them about the compromised information. The letters were sent to
employees regardless of whether their information was accessed.

“I write to inform you that the Rhode Island Public Transit Authority
(RIPTA) was the target of a recent security incident that involved the
personal information of beneficiaries of the State of Rhode Island’s health
plans,” he wrote, adding the affected files were from billing plans “from
about 2013 through 2015.”

RIPTA announced it would be providing complementary membership to identity
monitoring services through Equifax. For people who think they were
affected by the hack, but do not receive a letter by Jan. 20, Thorsen urged
them to contact a call center at 855-604-1669.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211229/edc81e89/attachment.html>