Wabtec Corporation has finally disclosed details of a data security incident last year which led to the compromise of highly sensitive personal information.
The Pittsburgh-headquartered firm describes itself as the world’s leading rail technology company, operating in over 50 countries in the freight, transit, mining, industrial and marine sectors.
The $8bn revenue firm suffered a ransomware attack first reported back in June 2022, attributed to the prolific LockBit group.
Although the incident is not mentioned explicitly in the new breach notice, the link between the two can be inferred from the fact that stolen data was “posted to the threat actor’s leak site,” according to Wabtec.
The firm explained that, although it first became aware of unusual network activity on June 26 2022, it later determined that malware was planted on its systems as far back as March 15 that year.
“The forensic investigation did reveal that certain systems containing sensitive information were subject to unauthorized access, and that a certain amount of data was taken from the Wabtec environment on June 26 2022,” it explained.
“The information was later posted to the threat actor’s leak site. On November 23 2022, Wabtec, with the assistance of data review specialists, determined that personal information was contained within the impacted files. On December 30 2022, Wabtec began notifying affected individuals, per relevant regulations, with a formal letter, to let them know their data was involved.”
It’s unclear exactly whose information was taken in the breach, although judging by the list of data types, it appears to be global Wabtec employees. There’s also no indication of the scale of the data theft.
Compromised information includes:
- First and last names
- Dates of birth
- Non-US ID numbers, social insurance numbers or fiscal codes
- Passport numbers
- Employer identification numbers
- Alien registration numbers
- UK NHS numbers
- Medical and health insurance information
- Photos
- Gender
- Salary
- US social security numbers
- Financial account and payment card info
- Sexual orientation
- Religious beliefs
- Union affiliation
Andrew Hay, COO at cybersecurity consultancy Lares Consulting, said the delay between malware deployment and its discovery by Wabtec may suggest poor detection and response capabilities.
“Unless the malware was purposefully delayed, there is no excuse for not detecting or blocking the associated activity,” he added.
“Once the FBI is involved, it’s normal for public disclosure to lag. Like any criminal case, law enforcement wants to investigate. This is not always a fast process and could take weeks, if not months, to draw accurate conclusions, ascribe attribution, and, where possible, press charges.”
Editorial credit icon image: rafapress / Shutterstock.com