Alaska Railroad Corporation reported a data breach incident that occurred in December 2022 and they discovered it on March 18th, 2023.
According to ARCC, a third party gained unauthorized access to the internal network system. Further on, threat actors accessed and exfiltrated sensitive data of vendors, current and former employees, and their dependents.
Alaska Railroad claims that passengers’ data safety was not impacted. Additionally, there is no threat to railroad safety. As ARRC President and CEO Bill O’Leary stated:
As is unfortunately a common occurrence in our world, ARRC is not immune to cyber threats. Now that the threat has been contained, we have moved from incident response to monitoring, lessons learned, ongoing security improvement planning and helping affected users to personally respond to the stolen information.
We can also confirm that the incident did not and will not pose any safety risks to our trains, our passengers, freight or any railroad infrastructure.
The Stolen Data
Reportedly, the attack happened on December 25, 2022. Hackers got unauthorized access to the Railroad`s internal network system and stole data. The data breach was discovered and contained on March 18, 2023. While there is no sign that passengers’ data were compromised, hackers did steal vendors and current and former employees’ personal information.
Among the stolen data there were:
- Names and birth data,
- Birth or marriage certificates,
- Social Security numbers,
- Driver’s license or other government-issued identification numbers,
- Employer tax identification numbers,
- Banking information,
- Medical and health insurance information,
- Drug screening results.
Further Consequences of the Alaska Railroad Data Breach
In the US, transportation systems are considered critical infrastructure, therefore protecting them is a national security priority.
Alaska Railroad Corporation belongs to the State of Alaska and provides year-round rail transportation services. Since ARRC is a state-owned corporation but is operated like a private business, its employees are not part of the state personnel system.
According to the Office of the Maine Attorney General, 7,413 people were impacted by the cyberattack.
The hackers could use the stolen data to launch phishing attacks, online impersonation, credit card fraud, or medical identity theft.
As a consequence, ARRC offered them free credit monitoring and identity theft protection services.
The Railroad already announced a law enforcement investigation was ongoing since they discovered the incident. Forensic investigators are also involved.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.