An investigation is underway to determine what went wrong when hackers gained access to data kept in the RIBridges software system. And already a class-action lawsuit has been filed against the company that manages the database.
TRANSCRIPT:
This interview has been edited for length and clarity.
Hernandez: Could you just briefly help us understand what’s at stake for those people whose personal information has been compromised?
Langevin: Well, what’s at stake is their identity being stolen, hijacked, if you will, and then potentially being used for nefarious purposes to open up credit in their names and obviously for the bad intent of whoever stole the data or puts it out there on the, on the dark web. The most important thing right now that individuals can do, even if you think, even if you’re unsure, that you are involved in this data breach. It’s best to freeze your credit, and the other thing I would do is I would also enable multi factor authentication.
And those are probably the two biggest things that you can do as well as, you know, alert your bank. If there’s a large transfer of funds from your account, you know, for you to be notified. So basically putting a fraud alert on your accounts. But, first of all, the issue of freezing your credit is very easy to do. It only takes a little while. You freeze it with the three credit agencies, Experian, Equifax and TransUnion. And then if basically someone tries to open an account in your name, they won’t be able to because when they, who’s ever offering the credit, say a credit card or you’d want to buy a car or a mortgage or something of that nature, when they try to check your credit, the credit rating agencies will say they can’t because your credit, the credit is frozen. So they can’t open up credit in your name. And then secondly, the multi-factor authentication means that when you do this with your financial institution, your banks, let’s say, and anytime we want to access your bank account remotely, you put in your username and password, but then your bank will send you a temporary code, say to your cell phone that you have to put into the website and then it allows you access to your account. So those are very easy things to do and it really helps to manage your risk, buy down your risk a lot and that instead of leaving it exposed,
Hernandez: You know, people want to trust that their information is safe, that they can rely on the different government institutions to protect that. But really, are people right to be frustrated and critical of the state of Rhode Island right now?
Langevin: Well, first, let’s understand that this was a third party vendor that was primarily responsible for protecting the data. Deloitte, as the third party vendor, was charged with running the system and protecting the data. We had a contract, the state of Rhode Island had a contract with Deloitte. So Deloitte has a lot of questions to answer, and again, there’s a lot of, there’s an ongoing investigation right now to determine how the hackers got in, and what exactly they stole. What, if any of it was encrypted, hopefully some of it was encrypted. Again, I don’t know at this point, so, again, that’s the state is doing that, doing an investigation right now.
I understand people’s frustration, and sure, you can understand why people are frustrated, but I have to tell you, you know, in this day and age of cyber threats, and the cyber security challenges that we face and every network, every, you know, whether it’s state government, municipal government, non profits or businesses. They’ve got to be right, right 100 percent of the time. The bad guys only have to be right once to get in and potentially carry out a ransomware attack or steal data. So it’s best to be proactive and protect yourself ahead of time.
Hernandez: We know now that the state auditor general had told officials that the system had issues, that Rhode Island hasn’t dedicated adequate resources to cybersecurity. So, you know, again, yes, it’s a third party, but we have to look at our state officials and ask why was the state not more prepared? And you had warnings.
Langevin: Fair question. And those are questions that everyone’s going to have to answer, everyone from, you know, I’m sure the governor to the state legislature. As state leaders, you’re always trying to balance a number of very important priorities. Now, that being said, they’re going to have to do a part of this investigation is going to be looking at what went wrong, what could the state have done better, and then going forward, how do we fix the problems. And close that aperture of vulnerability even further. What steps could they do that are most cost effective that are going to get us to a place of stronger cyber security, and that’s something that, you know, the state is going to have to tackle.
Hernandez: Were you surprised that a company as big as Deloitte, which again was managing the RIbridges, didn’t have better systems in place?
Langevin: So yes, I guess I would say as a third party vendor and you’re selling these services to the state. You’re basically responsible for them. I would hope they would have had stronger cybersecurity measures in place. But again, I don’t know all the details. So I can’t be, I don’t want to rush to judgment and be overly critical yet because I don’t have inside visibility into what Deloitte had and what they don’t. I will also say that right now, every state in the country, every municipality in the country is facing the same thing about resources and how much can you dedicate to this and how secure can you make your systems. They’re going to have to look at if Deloitte didn’t have the most up to date system, you know, why not? And who could have done better?
Hernandez: What do we do moving forward? Whether it’s finding another company, finding a better way, maybe having offline systems? What do you think that has to be?
Langevin: We want to make sure that we are, at the very least running the latest software. We are migrating data to the cloud, if you will, stronger, security in the cloud. We want to make sure that we do things where possible, like enabling multi factor authentication, limiting privileges when someone gets into the system. Obviously early detection is important and limiting how they can move within the system. And then also having a strong response plan going forward.
If you think you have been affected by the security breach, go to cyberalert.RI.gov to learn what steps you can take to protect yourself.
