Cyber Incident Victim: Wabtec Corporation
Date:
Jun 2022
Location:
United States of America
Summary
A global freight and transit rail equipment provider experienced a cyberattack disrupting U.S., U.K., and Brazilian operations, with malware infiltration occurring months prior to discovery. Threat actors accessed sensitive systems, exfiltrating extensive personal data including names, biometric information, passport and payment card details, health records, salaries, and national identification documents, later publishing stolen files via LockBit 3.0’s leak site. The incident prompted FBI engagement and delayed breach notifications to affected individuals. Operational disruptions prevented remote network access for employees during the attack, which coincided with heightened regulatory focus on rail sector cybersecurity mandates. Internal and external forensic investigations confirmed data compromise months after initial detection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Wabtec Corporation, a major global provider of freight and transit rail equipment, discovered a cyberattack on June 26, 2022, which had compromised its systems as early as March 15 of that year. The attack affected operations in the United States, United Kingdom, and Brazil, disrupting rail services across these regions. Following internal investigations, the company confirmed that threat actors infiltrated sensitive areas of its network, exfiltrated data, and subsequently published stolen files on an online leak site in August 2022. Wabtec promptly engaged the FBI after detecting the breach and collaborated with external cybersecurity specialists to assess the scope. By November 23, 2022, forensic analysis revealed the theft of extensive personally identifiable information, leading to formal notifications to affected individuals via mailed letters starting December 30, 2022. Employees were alerted in late June about potential ransomware activity and instructed to avoid logging into corporate systems, which temporarily hindered remote workers’ network access. The attackers, identified as the LockBit 3.0 ransomware group based on leak site evidence, executed a double extortion campaign involving data theft and public exposure, though Wabtec did not explicitly confirm ransomware usage or disclose whether a ransom was demanded or paid.
The compromised data included highly sensitive employee and operational details such as full names, dates of birth, passport numbers, payment card information, health insurance records, salaries, biometric identifiers, photographs, and non-U.S. national identification documents. This breach occurred amid broader U.S. government efforts to strengthen rail sector cybersecurity, including the Transportation Security Administration’s October 2022 release of mandatory cybersecurity implementation plans for critical transportation entities. Industry analysts noted the five-month gap between the leak site publication in August and Wabtec’s December data loss disclosure, highlighting recurrent delays in breach transparency. The incident underscored vulnerabilities in a company responsible for approximately 20% of global freight logistics, exacerbating supply chain risks already strained by labor shortages and operational disruptions. Wabtec’s response focused on containment, law enforcement coordination, and victim notification, without public elaboration on technical remediation steps or long-term operational adjustments resulting from the attack.