US Railroad Contractor Reports Data Breach After Ransomware Attack

Image: Christophe Maertens

RailWorks Corporation, one of North America’s leading railroad track and transit system providers, disclosed a ransomware attack that led to the exposure of personally identifiable information of current and former employees, their beneficiaries and dependents, as well as that of independent contractors.

RailWorks is a privately held provider of rail infrastructure solutions that builds and maintains rail transportation infrastructure across the United States and Canada.

The company has over 3,500 employees, 45 offices in the United States and Canada, and is behind $3 billion worth of contracts with railroad companies, transportation agencies/departments, and transit authorities

Ransomware attack leads to a potential data breach

The company sent email notifications to those affected by the attack on January 30 and February 7, following the breach that took place on Monday, January 27, 2020.

According to three data breach notifications RailWorks filed with California's Office of the Attorney General (1, 2, 3), the attackers might have gained access to PII including names, addresses, driver license numbers, government-issued IDs, Social Security numbers, dates of birth, and dates of hire/termination and/or retirement.

RailWorks says that it "was the victim of a sophisticated cyberattack in which an unauthorized third party encrypted its servers and systems [..]."

BleepingComputer reached out to a RailWorks spokesperson for comment and to confirm the ransomware attack but did not hear back at the time of publication.

The method used by the attackers to deploy the malware used to encrypt the company's systems is also unknown for the time being.

While we have no indication that any of your personal information has been misused, we are taking precautionary measures to help you protect your financial security and help to alleviate any concerns you may have. - RailWorks

"We are committed to helping those who may have been impacted by this unfortunate situation," RailWorks adds. "That’s why we are providing you with access to free credit monitoring for twelve (12) months through Identity Guard Total."

"Identity Guard Total provides essential monitoring and protection of not only credit data, but also monitors the Dark Web and alerts you if your Social Security number, credit cards, and bank account numbers are found in unsecure online locations."

The company strongly urges impacted employees to place a security freeze or a fraud alert their credit file for free with Experian, Equifax, TransUnion as a measure designed to prevent credits, loans, or other financial services from being approved in their names without their approval.

RailWorks also set up a dedicated call center at 1-866-977-1068, available between Monday and Friday, 9:00 am to 9:00 pm EST for questions and concerns.

A new beginning?

BleeingComputer has been saying for a while now that ransomware attacks should be considered data breaches.

Even though sensitive information now also gets harvested and exfiltrated before the actual encryption process takes place, no companies have yet treated such incidents as a data breach.

RailWorks' might be the first company that files a data breach notification after such an incident, something that we've been long expecting.

This will most likely happen more often in the coming months, as lawmakers will likely take notice of the full effects ransomware attacks have on a victim and pass legislation requiring orgs to file data breach notifications following such incidents.

Harvesting their victims' data before encrypting systems and then threatening to slowly leak out the stolen data in stages is a new method used by ransomware gangs to pressure victims to give in and pay the ransom.

This distressing trend for companies that fall victim to ransomware attacks was started by Maze Ransomware during late November 2019 and was embraced by the operators of other ransomware families including Sodinokibi, Nemty Ransomware, and BitPyLock last month.

Sodinokibi (aka REvil) also recently outlined plans to email stock exchanges such as NASDAQ regarding their antics to hurt the stock valuation of publicly traded companies they manage to infect. This yet another method announced by ransomware gangs to "incentivize" their victims to pay up.

Other ransomware operators might soon get on board and reach out to stock exchanges after compromising publicly-listed companies. Unprompted, Maze Ransomware told BleepingComputer yesterday that they also liked REvil's idea about NASDAQ.

Comments are closed.