RIPTA data breach bigger than previously disclosed
PROVIDENCE, R.I. (AP) — Officials say a data breach at the state agency that operates Rhode Island’s public bus service compromised the personal information of about 22,000 people, significantly higher than the previously announced number of 17,000.
The Rhode Island Public Transit Authority shared documents at a Senate oversight committee hearing Monday night that disclosed that about 5,000 agency employees as well as 17,000 other public employees were affected. The breach remains under investigation, both internally, and by the state attorney general.
RIPTA Director Scott Avedisian said much of the information compromised was contained in documents from the state’s former health plan administrator, stored on non-encrypted RIPTA servers.
However, RIPTA denied that the breach affected more people than they originally thought.
The full statement is follows:
“To clarify, the incident did not impact more individuals than RIPTA first announced. In response to this incident, RIPTA notified affected individuals in accordance with state and federal law. On December 21, 2021, RIPTA mailed letters to approximately 22,000 individuals, 17,378 of whom are residents of Rhode Island. That same day, RIPTA notified all applicable regulators, including the Rhode Island Attorney, in accordance with state law. RIPTA can confirm the accuracy of the numbers of individuals previously reported. No additional individuals have been identified as being involved in this incident.
RIPTA recognizes the concern and inconvenience this incident may have caused our own associates and the State employees who were impacted. RIPTA takes seriously the security and privacy of the information in our care, and we are continuing to take steps to strengthen our information security processes, including by further enhancing our security protocols, document handling practices and cybersecurity training for our employees. RIPTA will continue to work with third party vendors to help ensure that sensitive information is not inappropriately shared with RIPTA in the future.”