Deloitte Exposed 644,401 People. Your Settlement: $28.

Global consulting giant Deloitte exposed 644,401 Rhode Islanders’ personal information through inadequate cybersecurity on the state benefits system. The company just paid $7 million to settle with the state, bringing their total payout to $12 million — while admitting no wrongdoing.

A separate class action settlement already paid affected residents about $100 each.

If you’ve ever wondered how consulting firms manage to fail spectacularly at cybersecurity while keeping their government contracts, this one’s a masterclass.

Rhode Island announced the Deloitte privacy settlement in April 2024, bringing the curtain down on a breach that exposed how consulting firms profit from government IT contracts while shifting cybersecurity risk to taxpayers.

The Breach That Kept Giving (to Hackers)

Deloitte built and managed RIBridges — Rhode Island’s benefits portal for Medicaid, food stamps, and health insurance. In July 2023, hackers called Brain Cipher used stolen Deloitte employee credentials to access the system’s backend.

Predictably, nobody noticed for months.

The timeline based on the state’s settlement announcement:

• July 2023 — Brain Cipher gains initial access using stolen Deloitte credentials
• July-November 2023 — Hackers move freely through 28 of 338 backend environments
• November 2023 — Mass data extraction triggers hundreds of file transfer alerts
• December 4, 2023 — Brain Cipher posts stolen data on dark web
• December 5, 2023 — Deloitte finally notifies the state (one day after public leak)
• December 13, 2023 — Governor McKee tells the public

The hackers had 5 months of unrestricted access before anyone noticed.

How Consulting Contracts Shield Companies from Consequences

Deloitte’s settlement reveals the structural problem with government IT outsourcing. The company collected millions to build a secure system, failed to protect it adequately, then negotiated a settlement that explicitly prevents the state from saying anything negative about their performance.

The agreement includes a non-disparagement clause requiring both parties to “refrain from making any public statements to third parties which are disparaging or derogatory about the other Party.” Even press releases about the settlement had to be “discussed in advance” between Deloitte and the state.

The math shows who really pays:

• $7 million settlement from Deloitte
• $5 million earlier payment for breach costs
• $6 million in system enhancements (Deloitte provides at reduced cost to state)
• 644,401 people exposed = about $28 per victim in state recovery

Meanwhile, Deloitte continues to manage RIBridges under the same contract structure, making payments without taking responsibility for the harm done.

What the Deloitte Class Action Settlement Actually Delivered

In October 2024, Deloitte settled a separate class action for $6.3 million. According to the court documents, thousands of people filed claims for the standard $100 payment without proof of identity theft.

The settlement breakdown from court filings:

• $100 automatic payment for filing a claim (no proof required)
• Higher payments for documented identity theft losses
• Only 35 people opted out of the class action
• The filing deadline has passed for new claims

The Deloitte class action also protected Rhode Island from individual lawsuits, meaning if you didn’t file a claim or opt out, you can’t sue the state later.

The Pattern of Cybersecurity Failures

This isn’t Deloitte’s first cybersecurity challenge on a government contract, though specific details of other incidents are often protected by confidentiality agreements that prevent public discussion of patterns across different projects.

What the investigation reportedly found:

• RIBridges firewall worked correctly
• Security monitoring systems generated alerts that went unaddressed
• Hackers maintained persistent access to system components
• Deloitte couldn’t determine how credentials were initially compromised

According to the state’s announcement, Governor McKee stated, “Deloitte missed some issues that we certainly hold them responsible for.”

The Broader Implications for Government IT

The RIBridges breach illustrates a fundamental problem in how states manage cybersecurity risk when outsourcing critical systems.

Deloitte collected substantial fees to build and maintain a secure benefits portal, yet when their security measures failed, the company negotiated a settlement that amounts to a fraction of their contract value while maintaining their role as system administrator.

The settlement structure also demonstrates how consulting firms can limit their liability exposure through contract terms that shift long-term security risks to taxpayers. While Deloitte paid $12 million total in settlements and remediation costs, the company continues earning revenue from the same contract that produced the security failure.

For affected residents, the breach created lasting privacy risks that extend far beyond the settlement payments. Personal information remains permanently compromised, including:

• Social Security numbers
• Addresses
• Benefit details

Residents remain permanently compromised, creating a risk of identity theft and fraud that could persist for years.

The non-disparagement clause in the state settlement also prevents Rhode Island officials from publicly discussing specific security failures or lessons learned — limiting transparency that could help other states avoid similar breaches when evaluating their own IT outsourcing arrangements.

What You Can Do

If you were affected by the RIBridges breach:

1. Check if you filed a class action claim — Contact the settlement administrator to verify your claim status if you’re unsure whether you filed by the deadline.
2. Monitor your credit reports — Get free reports from all 3 bureaus at annualcreditreport.com and look for accounts you didn’t open.
3. Consider a credit freeze — Contact Experian, Equifax, and TransUnion to freeze your credit files, preventing new accounts from being opened.
4. Report identity theft immediately — If you discover fraudulent accounts or activity, file a complaint with the FTC at identitytheft.gov.
5. Document any losses — Keep records of time spent, fees paid, or other costs related to identity protection. Note that the class action settlement likely bars future legal claims unless you specifically opted out of the settlement.

$28 Per Person and Business as Usual

The Deloitte breach isn’t just a story about one failed system — it’s a case study in how corporate accountability breaks down when government contracts are on the line.

Hundreds of thousands of people had their personal data exposed for months. The warning signs were there. The alerts were triggered. And still, nothing happened until the damage was already done.

Then came the cleanup:

• A settlement that amounts to pocket change per victim
• A clause that limits what can be said publicly
• Business as usual for the company that caused it

If this feels familiar, it should. This is what happens when the cost of failure is lower than the cost of prevention.

Your data is still out there. The contract is still active. And the system that failed is still being trusted.

If you were affected, stay vigilant — and if you’re tired of seeing companies walk away from preventable harm, you’re not alone. Think this shouldn’t happen? Share your story.

Written by: Companies Behaving Badly

The team behind it all.