Wabtec Announces Global Data Breach In LockBit Attack

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Jan 06, 2023 04:59 am PST

The Wabtec Corporation has finally provided information regarding a data security breach that occurred last year and resulted in the compromise of extremely sensitive personal data. The $8 billion company was the victim of a ransomware attack that was first mentioned in June 2022 and was perpetrated by the well-known LockBit organization.

The corporation, which has its headquarters in Pittsburgh, bills itself as the world’s top rail technology provider and operates in more than 50 nations in the freight, transit, mining, industrial, and maritime sectors. Modern locomotives and rail systems are produced by the publicly traded Wabtec firm in the United States. The company is a giant in freight locomotives and a significant player in the transit sector employs over 26,000 people and has operations in 50 countries.

LockBit Published Samples Of Data Stolen From Wabtec

Although the incident isn’t explicitly referenced in the current breach notice, Wabtec claims that it may be deduced because stolen data was “uploaded to the threat actor’s leak site.”

The company stated that although discovered strange network activity for the first time on June 26, 2022, it later discovered that malware had been installed on its systems as early as March 15 of that year.

According to the statement, “The forensic investigation did show that several systems carrying sensitive information were the target of unauthorized access, and that on June 26, 2022, a certain amount of data was removed from the Wabtec environment.”

Later, the details were published on the threat actor’s leaked website. On November 23, 2022, Wabtec discovered that the impacted files contained personal information with the help of data review experts. In accordance with the applicable requirements, Wabtec started sending formal letters to impacted individuals on December 30, 2022, informing them that their data was at risk.

Although it’s unclear precisely whose data was stolen in the incident, based on the list of data kinds, it seems to be employees worldwide of Wabtec. Additionally, there is no evidence of how much data was stolen.

Compromised data includes the following:

  • Full name
  • Date of birth
  • Non-U.S. national ID numbers
  • Non-U.S. social insurance numbers or fiscal codes
  • Passport numbers
  • IP addresses
  • Employer identification numbers
  • USCIS or alien registration numbers
  • National Health Service numbers – U.K.
  • Medical record/health insurance information
  • Photographs
  • Gender identity
  • Salaries
  • Social Security numbers – U.S.
  • Financial account information
  • Payment card information
  • Account usernames and passwords
  • Biometric information
  • Race/ethnicity
  • Criminal convictions or offenses
  • Sexual orientation/life
  • Religious beliefs
  • Union affiliation

The delay between malware deployment and Wabtec’s discovery, according to Andrew Hay, COO of cybersecurity consulting firm Lares Consulting, may indicate weak detection and response capabilities.

“There is no justification for not identifying or preventing the connected activities,” he continued. “Unless the malware was purposely delayed.”

“It’s typical for public disclosure to be delayed after the FBI is engaged. Law enforcement wants to look into this case as they would any criminal one. In some cases, it may take weeks or even months to come to the pertinent findings, assign blame, and, if appropriate, file charges.

How To Keep Safe From LockBit Ransomware

The following are ways to protect your networks against LockBit ransomware attack attempts:

  • Admin, service and domain account passwords must all be strong, unique passwords for all accounts that require them.
  • As much as possible, mandate multi-factor authentication for all services.
  • Update all applications and operating systems.
  • Eliminate unauthorized access to administrative shares.
  • Utilize a host-based firewall to restrict access to administrative shares through Server Message Block (SMB) to a select few administrator machines.
  • To stop unauthorized changes to crucial information, turn on protected files in the Windows operating system.
  • Administrators can also thwart network discovery attempts made by ransomware developers by doing the following.
  • Implement time-based access for accounts with admin and higher privileges.
  • Revoke rights and command-line and scripting activity
  • Maintain offline data backups and routine backup and restore
  • Ensure that the entire organization’s data architecture is covered by all backup data, which should be encrypted and immutable.


Wabtec Corp., a U.S. rail and locomotive firm, recently announced an eight-month-old breach that exposed certain people’s sensitive personal information after the stolen information was put on a threat actor’s leak site. The network was penetrated by hackers on March 15, 2022, but the corporation didn’t notice anything out of the ordinary until June 26, at which point an internal investigation was launched.

An online dialogue between LockBit hackers and a person posing as an IT manager at Wabtec was started on the website. The hackers demanded $25 million in bitcoin for the decryptor and to delete the stolen information. Later, the request was increased to $30 million. Up to 2GB of data, according to the hackers, might be accessed.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x