Cyber Incident Victim: OmniTRAX
Date:
Dec 2020
Location:
United States of America
Summary
A U.S. freight rail operator experienced a ransomware attack and data theft targeting its corporate parent, leading to the public leak of approximately 70 gigabytes of internal documents including employee work computer contents. The company confirmed the incident but did not disclose operational impacts, asserting business continuity despite the Conti ransomware group's data release, which suggested refused ransom demands. While cybersecurity experts assessed minimal operational disruption, the breach raised concerns over exposed employee data and broader supply chain vulnerabilities, marking the first publicly reported double-extortion ransomware incident against a North American rail freight entity. The event highlighted industry-wide cybersecurity risks as transportation sectors increasingly digitize without adequate protective measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late December 2020, Colorado-based rail freight operator OmniTRAX confirmed it had been targeted in a ransomware attack after the Conti cybercriminal group publicly posted stolen company data on its leak site. The attack occurred prior to December 24 and targeted OmniTRAX's corporate parent, the Broe Group, which maintains shared headquarters with the railroad operator in Denver. Conti ransomware actors exfiltrated approximately 70 gigabytes of internal OmniTRAX documents, including contents from individual employee work computers, before encrypting systems—a double-extortion tactic involving both data theft and system lockdown. The leak's timing indicated Broe Group refused ransom demands. While OmniTRAX acknowledged the incident through Chief Legal Officer John Spiegleman, the company declined to disclose specifics about security protocols, operational impacts, or whether customer data was compromised. Spiegleman stated operations continued "business as usual" across OmniTRAX's network of 21 U.S. and one Canadian short line railroads, which serve as critical connectors between shippers and major rail networks. FreightWaves verified samples of the leaked data but could not confirm whether rail operations information was included in the breach.
The incident marked the first publicly confirmed double-extortion ransomware attack against a U.S. freight rail operator, occurring amid heightened concerns about cybersecurity vulnerabilities in increasingly digitized rail systems. While a rail industry cybersecurity expert assessed the attack caused minimal to no operational disruption, the exposure of employee data raised significant concerns. Broader industry apprehension had focused on potential large-scale supply chain disruptions or safety system compromises, though ransomware attacks typically prioritize financial gain over infrastructure sabotage. The breach occurred as transportation sector ransomware incidents increased, exemplified by the contemporaneous Forward Air attack that did disrupt operations through data encryption. In response to escalating threats, Greenbrier CEO Bill Furman publicly disclosed his railcar manufacturing firm's accelerated cybersecurity investments during December 2020 earnings calls, reflecting board-level concerns across the industry. OmniTRAX maintained its no-comment policy regarding security measures throughout the incident disclosure period.