Pennsylvania AG ransomware breach exposes SSNs via Citrix Bleed 2

Pennsylvania’s Office of the Attorney General has confirmed that a ransomware attack first detected in August exposed names, Social Security numbers and medical information for an undisclosed number of individuals, with initial access linked to internet exposed Citrix NetScaler devices vulnerable to CVE-2025-5777, also known as Citrix Bleed 2, aligning with ATT&CK technique T1190 (Exploit Public Facing Application). The incident disrupted websites, phone lines and email systems for nearly a month and forced courts to extend deadlines for certain criminal and civil cases, while 1,200 staff members resorted to alternate communication methods. Although the office says it has no evidence of misuse of the stolen information so far, the INC ransomware gang has claimed responsibility and may still hold copies of exfiltrated data. Subsequent investigation found that threat actors not only encrypted files and systems but also stole data before deployment, a classic double extortion pattern tied to techniques like T1486 (Data Encrypted for Impact) and T1565.002 (Data Manipulation, Stored Data). Security researchers traced exploitation to Citrix NetScaler appliances that were vulnerable not only to CVE-2025-5777 but also related bugs, with external analysts documenting at least two devices associated with the Attorney General’s office that were later removed from the internet. The office has notified affected individuals by email where addresses were available and has engaged the FBI to support the ongoing investigation. For public sector entities and regulated organizations, this breach underscores the cascading operational and legal consequences of perimeter device vulnerabilities left unpatched. Exposure of SSNs and medical data can trigger identity theft risks and obligations under state breach notification laws and potentially federal healthcare privacy regulations if protected health information is involved. Even when immediate financial fraud is not observed, data harvested in such incidents may surface later in criminal marketplaces and fuel long tail fraud and social engineering campaigns. Mitigation requires urgent patching and hardening of all internet facing Citrix and similar edge systems, combined with continuous vulnerability management and attack surface monitoring to catch devices like NetScaler that slip outside normal asset inventories. Organizations should also validate that backups and disaster recovery plans can restore critical public services without prolonged downtime, and ensure breach response plans include rapid coordination with courts, regulators and law enforcement. Finally, where SSNs and medical data are involved, agencies must offer appropriate credit monitoring, publish clear guidance for affected individuals and monitor for any signs of secondary abuse linked to the stolen datasets.