Fraud Management & Cybercrime , Ransomware

Wabtec Discloses Data Breach; LockBit Claims Responsibility

Personal Information Compromised After Rail Giant Refused to Pay $30M Ransom
Wabtec Discloses Data Breach; LockBit Claims Responsibility
(Image: Shutterstock)

U.S rail and locomotive company Wabtec Corp. recently disclosed an 8-month-old breach that exposed personal and sensitive information of some individuals after the stolen data was posted on a threat actor's leak site.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

Hackers breached the network on March 15, 2022, but the company only became aware of unusual activity on its network on June 26, which prompted an internal investigation.

"With the assistance of leading cybersecurity firms, we assessed the scope of the incident to, among other things, determine if personal data may have been affected. Additionally, shortly after discovery of the event, Wabtec notified the Federal Bureau of Investigation," the company said.

A spokesperson for Wabtec was not immediately available to provide additional details.

Wabtec is a provider of equipment, systems, digital solutions and value-added services for the freight and transit rail sectors. The company employs over 27,000 employees in over 50 countries around the world.

According to Wabtec, the affected information includes:

  • Full name
  • Date of birth
  • Non-U.S. national ID numbers
  • Non-U.S. social insurance numbers or fiscal codes
  • Passport numbers
  • IP addresses
  • Employer identification numbers
  • USCIS or alien registration numbers
  • National Health Service numbers - U.K.
  • Medical record/health insurance information
  • Photographs
  • Gender identity
  • Salaries
  • Social Security numbers - U.S.
  • Financial account information
  • Payment card information
  • Account usernames and passwords
  • Biometric information
  • Race/ethnicity
  • Criminal convictions or offenses
  • Sexual orientation/life
  • Religious beliefs
  • Union affiliation

The company is taking steps to secure all systems and operations by implementing procedural safeguards and notifying all applicable regulatory and data protection authorities.

LockBit Responsible

Information Security Media Group analyzed the data posted on the website of ransomware-as-a-service group LockBit and found that the group had claimed responsibility for the hack.

On the website, someone who claimed to be an IT manager at Wabtec initiated a conversation with LockBit hackers, who demanded $25 million worth of bitcoin for the decryptor and to destroy the stolen documents. The demand was later raised to $30 million. The hackers claimed to have access to up to 2GB of data.

During the chat, the company manager agreed to pay the ransom, but only if the hacker provided a working decryptor tool, returned the data and permanently deleted any copies, along with a guarantee to not publish the data anywhere. The manager also wanted to know how the hacker had infiltrated the company network.

Chat between alleged Wabtec IT manager and hacker (Image: Information Security Media Group)

The hacker agreed to the four demands but refused to provide information about the initial intrusion. After the company representative stopped responding to the hackers' chat messages, the data was released online.

Wabtec says it determined that personal information was contained within the stolen files on Nov. 23 and began notifying affected individuals on Dec. 30 "per relevant regulations, with a formal letter, to let them know their data was involved," the company says.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair is assistant editor for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.