Cybercriminals have attacked Alaska Railroad Corporation (ARRC), stealing sensitive information about its vendors and employees.
The notice to affected clients on April 17 stated that “a third party gained unauthorized access” to the ARRC’s internal network systems.
ARRC is owned by the State of Alaska and is a Class II railroad operating freight and passenger trains in the state. Transportation systems are considered critical infrastructure in the US, meaning that protecting them is a national security priority.
Highly sensitive data stolen
Allegedly, the attack happened on December 25, 2022. Threat actors are said to have acquired the personal information of the company’s vendors, current and former employees, and their dependents.
Reportedly, among stolen data were names, dates of birth, social security numbers, driver’s license or other government-issued identification numbers, employer tax identification numbers, and banking information.
Breached information also included highly sensitive information, such as medical and health insurance information, drug screening results, work evaluations, and birth or marriage certificates.
The Office of the Maine Attorney General states that 7,413 people were affected by the hack. ARRC has offered affected individuals free credit monitoring and identity theft protection services.
Under investigation
The company claims it discovered the incident on March 18, 2023, and took “immediate action to identify and contain this intrusion.” The late public notice is the result of a “law enforcement investigation.”
“Working with law enforcement and forensic investigators, we are conducting a thorough review of the potentially affected records and will notify you if there are any significant developments,” said the company.
Your email address will not be published. Required fields are markedmarked