Pennsylvania AG Confirms Data Breach in INC Ransom Attack
▼ Summary
– The Pennsylvania Attorney General’s office confirmed a ransomware gang stole personal and medical information in an August 2025 cyberattack.
– The office refused to pay the ransom after systems were encrypted and discovered unauthorized access to files containing names, Social Security numbers, and medical data.
– Cybersecurity expert Kevin Beaumont found vulnerable Citrix NetScaler appliances on the network, which were taken offline around the time of the breach.
– The INC Ransom gang claimed responsibility for the attack, alleging they stole 5.7TB of files and gained access to an FBI internal network.
– This marks the third ransomware attack on Pennsylvania state entities since 2017, following previous incidents involving Delaware County and the Pennsylvania Senate Democratic Caucus.
The Pennsylvania Attorney General’s office has confirmed a significant data breach following a ransomware attack in August 2025, revealing that cybercriminals successfully accessed and stole files containing sensitive personal and medical information. Attorney General Dave Sunday previously announced in early September that his office had refused to pay the ransom demanded by the attackers after they encrypted critical systems.
In a recent press release, the Pennsylvania Office of the Attorney General (OAG) stated, “The OAG later learned that certain files may have been accessed without authorization. The OAG reviewed which data may have been involved and learned that certain personal information was contained in some files.” They further explained that for some individuals, the compromised data likely included names, Social Security numbers, and medical details.
The attack, discovered on August 9th, caused widespread disruption by taking down numerous systems and services on the OAG’s network. This included the office’s public website, employee email accounts, and landline telephone services, severely hampering operations.
While the OAG has not publicly disclosed the exact method of the network intrusion, cybersecurity specialist Kevin Beaumont identified that the Pennsylvania AG’s network had multiple public-facing Citrix NetScaler appliances vulnerable to active exploitation. These systems were susceptible to a critical security flaw known as Citrix Bleed 2 (CVE-2025-5777). Beaumont noted that one of the two vulnerable devices had been offline since July 29th, with the other taken down on August 7th.
The INC Ransom gang publicly claimed responsibility for the breach on September 20th, listing the Pennsylvania OAG as a new victim on their dark web leak site. The group alleged they had stolen approximately 5.7 terabytes of data from the OAG’s network. They also made the bold assertion that the breach provided them with access to an internal FBI network.
INC Ransom emerged as a ransomware-as-a-service operation in July 2023 and has since targeted a wide array of organizations across the globe. Their list of victims spans multiple sectors, including education, healthcare, government, and major corporations such as Yamaha Motor Philippines, Scotland’s National Health Service, the retail giant Ahold Delhaize, and the U.S. division of Xerox Business Solutions.
This incident marks the third time in recent years that Pennsylvania state entities have fallen victim to ransomware attacks. In 2020, Delaware County paid a $500,000 ransom to the DoppelPaymer gang to restore its encrypted systems. Additionally, a 2017 attack disrupted the Pennsylvania Senate Democratic Caucus’ network, highlighting a persistent threat to the state’s digital infrastructure.
(Source: Bleeping Computer)
