Cyber Incident Victim: Alaska Railroad Corporation

On December 25, 2022, unauthorized third parties breached the internal network systems of the Alaska Railroad Corporation (ARRC), a state-owned Class II railroad operating freight and passenger services in Alaska. The intrusion remained undetected until March 18, 2023, when ARRC discovered the incident and initiated immediate containment measures. The attackers exfiltrated extensive sensitive data pertaining to vendors, current and former employees, and their dependents. Compromised information included personally identifiable details such as full names, dates of birth, Social Security numbers, driver’s license or government ID numbers, employer tax identification numbers, and banking information. Additionally, highly confidential records were stolen, encompassing medical and health insurance data, drug screening results, employment evaluations, and birth or marriage certificates. The Office of the Maine Attorney General confirmed 7,413 individuals were impacted by the breach.

ARRC attributed its delayed public disclosure, issued to affected parties on April 17, 2023, to an ongoing law enforcement investigation. The company collaborated with forensic experts and authorities to assess the intrusion’s scope and secure compromised systems. In its notification, ARRC stated it had taken steps to identify and contain the breach while continuing to review potentially affected records. No operational disruptions to railroad services were reported, though the theft of critical infrastructure data raised broader security concerns given ARRC’s designation as part of the U.S. transportation critical infrastructure sector. As remediation, ARRC offered impacted individuals complimentary credit monitoring and identity theft protection services but did not disclose technical details about the attack vector, perpetrator identity, or specific network vulnerabilities exploited.