RailWorks Corporation Disclosed Catastrophic Ransomware Infection

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

RailWorks Corporation has disclosed a ransomware attack that has resulted in the exposure of PII (personally identifiable information) of current and former employees, as well as their beneficiaries and dependents. The company is one of North America’s leading rail contractors, offering railroad construction, inspection and maintenance services, the development of transit rail systems, industrial welding, installation of signal and communications systems, and the construction of bridges or other railroad structures. They employ 3500 people in 45 offices across the United States and Canada, and currently runs contracts that are worth $3 billion.

Unfortunately, the ransomware attack and the subsequent compromise of the PII has affected independent contractors as well, so the total number of people who were exposed in this incident is measured in the tens of thousands. The railroad company has notified California’s Office of the Attorney General of the data breach, as they are obliged to do by the applicable law. As they mention in the notice, the exposed individuals have already been warned about the breach on January 30, 2020, and on February 7, 2020. These people will now enjoy free credit monitoring services by “Identity Guard Total” for twelve months. If you have worked for or with RailWorks in the past, call them at 1-866-977-1068 or 1-855-433-7748 to address any questions or concerns that you may have.

The data that has been exfiltrated by the actors include the following:

This is maybe the first time that we report an incident involving both the stealing of data and its lockdown through encryption. Usually, malicious actors go for one of the two, but it looks like we may be at the beginning of a new age. Since ransomware infections presuppose a large-scale compromise of a corporate network, why wouldn’t hackers opt for practices that would maximize their profits? Stealing the data and then asking for the payment of a ransom to unlock them on the firm’s systems is the ideal scenario for crooks. Moreover, they can sustain the threats for longer, leaking parts of the stolen data online, and causing extended periods of negative publicity and business disruption for their victims.

Of course, this is making the payment of ransoms even more futile, as the circle of exploitation has literally no end. That said, it’s time for firms of all sizes and in all fields to invest a lot more in cybersecurity protection and incident response, prioritizing it in accordance with its criticality. If the trend of data harvesting and locking down picks up, the dire consequences for some companies will be too great to handle in many cases.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: