scorecardresearch Skip to main content

Commuter rail operator hit with ransomware attack

Hackers appear to have published stolen employee information online

A commuter rail train at the Keolis maintenance facility Widett Circle South Boston.David L. Ryan/Globe Staff

Hackers have obtained personal information about workers for commuter rail operator Keolis and posted it online in an apparent scheme to blackmail the company.

Keolis Commuter Services spokesman Justin Thompson confirmed that it had been targeted on Oct. 10 in a so-called ransomware hack, a form of cybercrime in which hackers threaten to lock systems or release information if the victim does not pay.

The attack did not target the Massachusetts Bay Transportation Authority itself, nor did it affect the “safe operation” of the commuter system, Thompson said.

“Keolis immediately took affected systems off-line, notified law enforcement and implemented steps to protect and restore systems," Thompson said in a statement. "At no time were operational safety systems compromised, and there was no risk to system safety during this event.”


But employee records that included personal information were posted online.

“For impacted employees, we are providing support resources, such as credit monitoring and identity theft protection,” Thompson said.

He added that Kelios did not pay the ransom demand.

The MBTA declined to comment on the hack, and the union representing Keolis’s conductors could not immediately be reached for comment.

According to Keolis, which operates rail systems around the world, the hack only hit its Boston business. The company is working with a forensics company to investigate the incident.

Keolis also said it does not store any customer information, including credit card information.

The hacker group claims online that it has only published 1 percent of what it has obtained so far, though it is difficult to gauge the credibility of that claim, said Brett Callow, a threat analyst for the New Zealand-based cybersecurity company Emsisoft.

“They’re criminals and may be overstating the quantity of data that was stolen in order to apply additional pressure,” he said. “Working out exactly what happened during a ransomware incident, including the amount of data exfiltrated, is far from easy and requires a forensic investigation that can take weeks to complete. In some cases, the criminals may attempt to take advantage of their victim’s uncertainty.”


Keolis has operated the commuter rail for the MBTA since 2014, and recently had its contract extended through at least 2025.