Companhia Paulista de Trens Metropolitanos

Companhia Paulista de Trens Metropolitanos (CPTM) is a public company responsible for operating the metropolitan train system in the state of São Paulo, Brazil. Its core service involves the management and circulation of trains across the metropolitan region, providing public transportation for commuters through a network of stations and rail lines. The organization's operational scope is focused on this essential public transit function within one of the world's largest urban agglomerations. While specific metrics such as total route length or daily passenger volume are not provided in the source material, its role is defined by the provision of this critical infrastructure service. The company maintains a digital presence through a website and a mobile application, which serve as key channels for passenger information and service access.

A distinguishing attribute of CPTM is its demonstrated operational resilience and established incident response protocols, as evidenced by its handling of a significant ransomware attack in December 2022. During this incident, while its website and mobile app were disrupted and internal employee networks were offline, the core operational systems for train circulation and station management remained unaffected, ensuring the continuity of its primary public service. The organization's response involved coordinated collaboration with Prodesp (the São Paulo state data processing company), Microsoft, and a state information security subcommittee, highlighting a structured approach to cybersecurity crises. Furthermore, CPTM promptly notified law enforcement and Brazil's national data protection authority (ANPD), implementing enhanced data protection measures post-incident. The company also effectively utilized alternative communication channels, specifically WhatsApp and social media, to provide operational updates to the public during the service disruption, maintaining transparency. A critical note from the incident is that the compromised digital systems did not contain passenger data, as that information is managed by external entities, a structural detail that limited the potential data breach impact. This event underscores the organization's prioritization of operational technology security and its integration within a broader state-level cybersecurity framework for critical infrastructure.