TransLink employees might be exposed to identity theft after a hack

TransLink hit by Egregor ransomware, sensitive employee data stolen

TransLink hack confirmedVancouver's Metro company impaired by Egregor ransomware attack Due to a ransomware attack, Vancouver Metro employees might be exposed to identity theft, as their social security and banking information might have been stolen.[1] The company urges its employees to sign up for a two-year credit monitoring service that the company provides for free.

Threat actors often steal sensitive company data before encrypting it and hold it as leverage until their demands are met. TransLink is working on identifying which files were accessed and copied to determine which employees might be affected.

The company quickly reassured its clients that they have nothing to worry about as they won't get affected by possible data breach:[2]

We want to assure our customers that TransLink does not store fare payment data. We use a secure third-party payment processor for all fare transactions, and we do not have access to that type of data

TransLink hack caused by Egregor operators

TransLink, a company controlling the regional transportation network of Metro Vancouver in British Columbia, Canada, had suffered a cyberattack on December 1st, 2020. Due to the security breach, Vancouverites couldn't purchase traveling tickets with credit or debit cards for a few days.

First, TransLine tried to hide the security breach by reporting a prolonged technical issue. Until a local news team got their hands on some evidence and made the company CEO report the incident,[3] admitting that TransLink has endured a ransomware attack.

Kevin Desmond, the TransLink CEO, stated:

We're in position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure. This attack included communications to TransLink through a printed message.

During the cyberattack, company printers started spewing out ransom notes. These notes contained details about the company's attack and threats that the stolen data will be published if someone doesn't contact the assailants within three days. It was later discovered that the hack had been performed by the Egregor ransomware[4] group.

Egregor ransomware operation causing havoc since September

Attack on TransLink company is just one of many that were executed last year by the Egregor ransomware operators and affiliates. Bookstore giant Barnes & Noble, Chilean-based retail giant Cencosud, well-known game developers Ubisoft and Crytek,[5] have all been affected by this ransomware since September 2020.

Apart from having their devices or networks encrypted, all companies have reported data leakage. The criminals behind this operation always steal some confidential company data (customer details, NPR agreements, employee details, or anything else that they can get their hands on) to blackmail their victims into agreeing to their terms and pay the ransom, or the stolen info would be published on their website accessible only through TOR browser.

That's just one similarity to identify Egregor ransomware. Another possible resemblance to identifying the threat actors is the almost identical ransom notes. The way they are delivered – abruptly start to print from company printers as soon as the hack is completed.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions