The cyberattack on RIBridges, Rhode Island’s online public benefits system managed by Deloitte, compromised the personal data of approximately 650,000 Rhode Islanders. The breach, executed by the cybercriminal group Brain Cipher, exposed sensitive information such as names, bank accounts, and Social Security numbers, some of which was later uploaded to the dark web. Affected individuals included users of public benefit programs like Medicaid, SNAP (Supplemental Nutrition Assistance Program), and HealthSource RI (the state’s health insurance marketplace). The incident led to multiple class-action lawsuits, with plaintiffs alleging Deloitte’s failure to secure, encrypt, or adequately destroy personal data, resulting in financial losses for victims. Deloitte settled with the state for $5 million to cover breach-related expenses and is under ongoing civil investigation by the Rhode Island Attorney General. The breach severely damaged trust in the system, prompting the state to explore alternative vendors for modernization before Deloitte’s contract expires in 2026.

A threat actor using the alias '303' allegedly breached Deloitte's systems and leaked sensitive internal data on a dark web forum. The breach involves GitHub credentials and source code from internal project repositories belonging to Deloitte’s U.S. consulting division. The leaked data includes GitHub credentials that could potentially grant unauthorized access to Deloitte’s internal development infrastructure, as well as source code from proprietary projects. This incident adds to Deloitte’s ongoing cybersecurity challenges, with multiple breach allegations in recent months.

Rhode Island Secures $12 Million Settlement from Deloitte Over 2024 RIBridges Data Breach The Rhode Island Department of Administration has finalized a $7 million settlement with Deloitte Consulting LLP, bringing the state’s total recovery from the 2024 RIBridges data breach to $12 million. The agreement, signed by Deloitte Principal Lindsay Musser Hough on April 15 and Acting Department Director Thomas Verdi on April 16, requires payment within 30 days unless an extended deadline is granted. Deloitte, the vendor behind RIBridges a state platform handling Medicaid, food stamps, and health insurance applications had already provided $6 million in additional system enhancements and support at no cost to Rhode Island. The breach, discovered in December 2024, stemmed from a cyberattack by the group Brain Cipher, which infiltrated the system’s backend in July 2024 using stolen credentials from a Deloitte representative. The threat actors remained undetected for months, exfiltrating data from 28 of RIBridges’ 338 backend environments before triggering alerts in late November. Governor Dan McKee first publicly disclosed the breach on December 13, 2024, after Deloitte confirmed the incident following a dark web post by Brain Cipher. The attack compromised the personal information of an estimated 644,401 individuals, including applicants and beneficiaries of state benefits. A third-party forensic report by CrowdStrike later revealed that the last malicious activity occurred on Thanksgiving Day 2024, though Deloitte did not notify the state until December 5. In February 2025, the state received an initial $5 million from Deloitte to cover breach-related expenses. The latest settlement resolves all legal disputes between the parties, with both agreeing to refrain from further litigation, public disparagement, or encouraging third-party lawsuits. The agreement also includes a non-disparagement clause, requiring coordinated public statements. Separately, Deloitte settled a class-action lawsuit in October 2025, which included Rhode Island as a "released party," shielding the state from additional claims. Over 47,000 class members filed claims for compensation, with most receiving around $100 and others eligible for higher reimbursements with documented losses. While the forensic report attributed the breach to Deloitte’s failure to detect the intrusion, the settlement explicitly states that neither party admits liability. The state’s legal recourse appears exhausted, though Governor McKee previously stated that Deloitte bore responsibility for oversight lapses.

On November 8, 2022, the Vermont Office of the Attorney General reported that Deloitte Tax LLP experienced an inadvertent disclosure of personal information related to shareholders of APC on September 30, 2022. The notification does not specify the number of affected individuals but mentions that certain personal information was disclosed without evidence of improper use.

Deloitte, an accounting business, revealed that a sophisticated breach hijacked its global email server. The Guardian initially reported the problem, which claims that hackers may have obtained usernames, passwords, and personal information of high-profile clients of prominent accounting firms in addition to emails belonging to corporate customers. Hackers have access to IP addresses, company architectural blueprints, and health data in addition to emails. Although Deloitte attempted to downplay the occurrence, it was established that it was immediately reported to government authorities and the impacted clients. In my opinion, incidents of this nature are always significant.