Cyber Incident Victim: Companhia Paulista de Trens Metropolitanos
Date:
Dec 2022
Location:
Brazil
Summary
A ransomware attack targeted the Companhia Paulista de Trens Metropolitanos, disrupting its website and mobile application while leaving operational systems for train circulation and stations unaffected. Hackers demanded $500,000 to restore access, though internal employee networks remained offline during recovery efforts. The organization collaborated with Prodesp, Microsoft, and a state information security subcommittee to restore services, emphasizing that compromised systems did not contain passenger data managed by external entities. Law enforcement and Brazil's national data protection authority were notified, with enhanced data protection measures implemented. Operational updates continued via WhatsApp and social media channels during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 18, 2022, Companhia Paulista de Trens Metropolitanos (CPTM) experienced a ransomware attack that disrupted its website and mobile application, rendering both services inaccessible. The attackers publicly claimed responsibility for the breach and demanded a ransom payment of $500,000 USD to restore access to the compromised systems, with the demand amount being disclosed through hacker forums and subsequently reported by journalist Paulo Brito via Twitter. While the attack disabled CPTM's public-facing digital platforms, the organization confirmed that critical operational systems controlling train circulation and station infrastructure remained unaffected. Internal employee networks were impacted and remained offline during the restoration efforts. CPTM clarified that no passenger data was compromised in the incident, as such information is managed by separate entities rather than through the affected systems.
CPTM initiated a coordinated response involving multiple entities to address the breach. Technical teams from the company collaborated with specialists from PRODESP (a São Paulo state technology agency) and Microsoft to restore the disabled systems. The Subcommittee on Information Security (SSI) of São Paulo's Committee for Data and Information Governance (CDESP) provided additional support for recovery operations. CPTM formally notified law enforcement, with the Civil Police's Department of Cyber Crimes (DEIC) opening an investigation into the attack. The National Data Protection Authority (ANPD) was also notified as part of regulatory compliance measures, with CPTM emphasizing enhanced data protection protocols were being implemented. Throughout the disruption, the organization maintained customer communication channels via WhatsApp and social media accounts to provide operational updates, while reiterating condemnation of the criminal act through official statements that confirmed ongoing restoration efforts without capitulation to ransom demands.