Wabtec Corp., one of largest freight carriers in the rail industry, disclosed Friday it was the target of a cyberattack discovered in June 2022. The threat actor later posted sensitive data on an online leak site.
The Pittsburgh-based company discovered the attack on June 26 and following an internal investigation realized malware was introduced as early as March 15, 2022. The attack impacted the firm’s U.S., U.K. and Brazilian rail operations.
The threat actor, which was not disclosed, accessed sensitive parts of the Wabtec environment, stole data and later posted onto an online leak site, according to the company. The company said it contacted the FBI soon after discovering the attack.
By Nov. 23, the company aided by outside data specialists, realized personally identifiable data was taken and the company began formal notifications by letter on Dec.30.
The stolen personal information includes names, dates of birth, passport numbers, payment card information, health insurance data, passport information, salaries, biometric data, photographs, non-U.S. national ID and social insurance information and other data.
Wabtec employees were warned in June about a possible ransomware attack in late June and warned not to log onto their computers, according to an article in Erie News Now. The story said remote workers at the company were unable to access the company network.
The incident appears to be a straightforward double extortion attack with sensitive files posted in August, according to Ron Fabela, co-founder and CTO at SynSaber, an industrial cybersecurity firm.
“What’s intriguing is that the files were posted back in August, Wabtec is just now reporting the data lost,” Fabela said via email. “This lag in breach reporting is not uncommon and continues to be a focus for industry and government policymakers.”
According to screenshots provided to Cybersecurity Dive, the data was posted to a leak site controlled by LockBit 3.0.
The company has not publicly used the word ransomware in its descriptions of the attack, and it is not known whether any specific dollar amount was demanded or paid.
The incident took place as U.S. government officials were working to bolster cybersecurity guidelines for the rail industry. The Transportation Security Administration in October introduced long-awaited directives for companies to introduce cybersecurity implementation plans.
The rail cybersecurity issue not only impacts U.S. passenger traffic, but critical supply chain issues at a time when the U.S. and other countries have been facing major disruptions due to worker shortages and other issues.
The company said it makes up about 20% of the world’s freight and is also a major parts and technology provider for rail and transit systems.
