[BreachExchange] US Railroad Contractor Reports Data Breach After Ransomware Attack

[Destry Winant]

https://www.bleepingcomputer.com/news/security/us-railroad-contractor-reports-data-breach-after-ransomware-attack/

The company has over 3,500 employees, 45 offices in the United States
and Canada, and is behind $3 billion worth of contracts with railroad
companies, transportation agencies/departments, and transit
authorities

Ransomware attack leads to a potential data breach

The company sent email notifications to those affected by the attack
on January 30 and February 7, following the breach that took place on
Monday, January 27, 2020.

According to three data breach notifications RailWorks filed with
California's Office of the Attorney General (1, 2, 3), the attackers
might have gained access to PII including names, addresses, driver
license numbers, government-issued IDs, Social Security numbers, dates
of birth, and dates of hire/termination and/or retirement.

RailWorks says that it "was the victim of a sophisticated cyberattack
in which an unauthorized third party encrypted its servers and systems
[..]."

BleepingComputer reached out to a RailWorks spokesperson for comment
and to confirm the ransomware attack but did not hear back at the time
of publication.

The method used by the attackers to deploy the malware used to encrypt
the company's systems is also unknown for the time being.

While we have no indication that any of your personal information has
been misused, we are taking precautionary measures to help you protect
your financial security and help to alleviate any concerns you may
have. - RailWorks

"We are committed to helping those who may have been impacted by this
unfortunate situation," RailWorks adds. "That’s why we are providing
you with access to free credit monitoring for twelve (12) months
through Identity Guard Total."

"Identity Guard Total provides essential monitoring and protection of
not only credit data, but also monitors the Dark Web and alerts you if
your Social Security number, credit cards, and bank account numbers
are found in unsecure online locations."

The company strongly urges impacted employees to place a security
freeze or a fraud alert their credit file for free with Experian,
Equifax, TransUnion as a measure designed to prevent credits, loans,
or other financial services from being approved in their names without
their approval.

RailWorks also set up a dedicated call center at 1-866-977-1068,
available between Monday and Friday, 9:00 am to 9:00 pm EST for
questions and concerns.

A new beginning?

BleeingComputer has been saying for a while now that ransomware
attacks should be considered data breaches.

Even though sensitive information now also gets harvested and
exfiltrated before the actual encryption process takes place, no
companies have yet treated such incidents as a data breach.

RailWorks' might be the first company that files a data breach
notification after such an incident, something that we've been long
expecting.

This will most likely happen more often in the coming months, as
lawmakers will likely take notice of the full effects ransomware
attacks have on a victim and pass legislation requiring orgs to file
data breach notifications following such incidents.

Harvesting their victims' data before encrypting systems and then
threatening to slowly leak out the stolen data in stages is a new
method used by ransomware gangs to pressure victims to give in and pay
the ransom.

This distressing trend for companies that fall victim to ransomware
attacks was started by Maze Ransomware during late November 2019 and
was embraced by the operators of other ransomware families including
Sodinokibi, Nemty Ransomware, and BitPyLock last month.

Sodinokibi (aka REvil) also recently outlined plans to email stock
exchanges such as NASDAQ regarding their antics to hurt the stock
valuation of publicly traded companies they manage to infect. This yet
another method announced by ransomware gangs to "incentivize" their
victims to pay up.

Other ransomware operators might soon get on board and reach out to
stock exchanges after compromising publicly-listed companies.
Unprompted, Maze Ransomware told BleepingComputer yesterday that they
also liked REvil's idea about NASDAQ.