Cyber Incident Victim: RailWorks Corporation
Date:
Jan 2020
Location:
United States of America
Summary
RailWorks Corporation experienced a ransomware attack that encrypted its servers and systems, potentially compromising sensitive personal information of current and former employees, their beneficiaries, dependents, and contractors. Exposed data included names, addresses, government-issued IDs, Social Security numbers, dates of birth, and employment-related dates. The company offered affected individuals free credit monitoring and dark web surveillance services for twelve months while establishing a dedicated support call center. Though unaware of any misuse of the stolen data, the incident was notable for its public disclosure, contrasting with other ransomware cases where breaches were concealed or led to data leaks after refused ransom demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
RailWorks Corporation, a leading North American rail infrastructure provider with over 3,500 employees across 45 offices, experienced a sophisticated cyberattack between January 30 and February 7, 2020. Unauthorized actors encrypted the company's servers and systems using ransomware, disrupting operations and potentially compromising sensitive personal information. The breach exposed data belonging to current and former employees, their beneficiaries and dependents, and contractors, including names, addresses, driver's license numbers, government-issued IDs, Social Security numbers, dates of birth, and employment dates (hire, termination, and/or retirement). The company confirmed the incident through a data breach notification emailed to affected individuals and a filing with California’s Office of the Attorney General, though it did not disclose technical details about the ransomware variant or specific attacker methodologies. RailWorks emphasized the sophistication of the attack but reported no evidence of actual misuse of the exposed data at the time of disclosure.
In response to the incident, RailWorks implemented precautionary measures to protect impacted individuals, including offering 12 months of complimentary credit monitoring through Identity Guard Total. This service provided monitoring of credit data, dark web scanning for exposed Social Security numbers, financial account details, and credit card information, along with alert mechanisms for detected exposures. The company established a dedicated call center (1-866-977-1068) to address inquiries and concerns related to the breach. While acknowledging the compromise of personal information through server and system encryption, RailWorks did not confirm whether data exfiltration occurred or whether ransom demands were made or paid. The disclosure stood out among contemporary ransomware incidents due to the company's proactive breach notification, contrasting with other cases where organizations concealed attacks or faced data leaks after refusing ransom payments.