Railroad construction and maintenance firm Railworks Corp. has disclosed a ransomware attack that may have also resulted in the breach of personally identifiable information.

The attack took place on Jan. 27 and email notifications were sent to those affected by the attack between Jan. 30 and Feb. 7. Data potentially stolen in the attack included names, addresses, driver license numbers, government-issued IDs, Social Security numbers, dates of birth and other employee information. Those affected were employees, family members and independent contractors.

Details of how the attack took place are somewhat vague. Railworks said it involved a “sophisticated cyberattack in which an unauthorized third party encrypted its servers and systems.” No information was provided as to whether any Railwork projects or services were shut down or otherwise affected by the attack.

The company is offering those affected free credit monitoring services for 12 months, though it noted that it has no evidence thus far that the information that was stolen had been misused.

Railworks has 3,500 employees in 45 states across the U.S. and Canada and currently manages contracts worth $3 billion. Notable projects managed by the company included the New Orleans’ new streetcar line, the JFK Airport AirTrain upgrade and various other projects in New York. Potentially the number of people affected by the data breach, including contractors could be in the tens of thousands.

James McQuiggan, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE that organizations take a high risk when they don’t implement proper security measures to protect their intellectual property, personal information or other sensitive information.

“In similar cases organizations provide free credit monitoring, which in turn requires the folks to provide the same sensitive information that was taken to a third party that will monitor their identity and social security numbers for only one year,” he said. “The money that organizations spend on monitoring services post-breach would have been better spent on educating and training their employees on social engineering scams or the folks responsible for securing infrastructure, applications or data.”

Photo: Railworks