Wabtec Discloses Data Breach; LockBit Claims ResponsibilityPersonal Information Compromised After Rail Giant Refused to Pay $30M Ransom
U.S rail and locomotive company Wabtec Corp. recently disclosed an 8-month-old breach that exposed personal and sensitive information of some individuals after the stolen data was posted on a threat actor's leak site.
Hackers breached the network on March 15, 2022, but the company only became aware of unusual activity on its network on June 26, which prompted an internal investigation.
"With the assistance of leading cybersecurity firms, we assessed the scope of the incident to, among other things, determine if personal data may have been affected. Additionally, shortly after discovery of the event, Wabtec notified the Federal Bureau of Investigation," the company said.
A spokesperson for Wabtec was not immediately available to provide additional details.
Wabtec is a provider of equipment, systems, digital solutions and value-added services for the freight and transit rail sectors. The company employs over 27,000 employees in over 50 countries around the world.
According to Wabtec, the affected information includes:
- Full name
- Date of birth
- Non-U.S. national ID numbers
- Non-U.S. social insurance numbers or fiscal codes
- Passport numbers
- IP addresses
- Employer identification numbers
- USCIS or alien registration numbers
- National Health Service numbers - U.K.
- Medical record/health insurance information
- Gender identity
- Social Security numbers - U.S.
- Financial account information
- Payment card information
- Account usernames and passwords
- Biometric information
- Criminal convictions or offenses
- Sexual orientation/life
- Religious beliefs
- Union affiliation
The company is taking steps to secure all systems and operations by implementing procedural safeguards and notifying all applicable regulatory and data protection authorities.
Information Security Media Group analyzed the data posted on the website of ransomware-as-a-service group LockBit and found that the group had claimed responsibility for the hack.
On the website, someone who claimed to be an IT manager at Wabtec initiated a conversation with LockBit hackers, who demanded $25 million worth of bitcoin for the decryptor and to destroy the stolen documents. The demand was later raised to $30 million. The hackers claimed to have access to up to 2GB of data.
During the chat, the company manager agreed to pay the ransom, but only if the hacker provided a working decryptor tool, returned the data and permanently deleted any copies, along with a guarantee to not publish the data anywhere. The manager also wanted to know how the hacker had infiltrated the company network.
The hacker agreed to the four demands but refused to provide information about the initial intrusion. After the company representative stopped responding to the hackers' chat messages, the data was released online.
Wabtec says it determined that personal information was contained within the stolen files on Nov. 23 and began notifying affected individuals on Dec. 30 "per relevant regulations, with a formal letter, to let them know their data was involved," the company says.