Data Security Incident Update – Personal Data Breach Public Communication

Our Wabtec entities: Wabtec Corporation, Wabtec UK Limited and Wabtec Brasil Fabricação e Manutenção de Equipamentos Ltda., located in the US, Canada, UK and Brazil, respectively ("together Wabtec") are providing notice about an event that occurred earlier this year that affected some individuals’ personal information.

What Happened.  On June 26, 2022, Wabtec became aware of unusual activity on its network and promptly began an internal investigation. It was subsequently determined that malware was introduced into certain systems as early as March 15, 2022. Wabtec, with the assistance of leading cybersecurity firms, assessed the scope of the incident to, among other things, determine if personal data may have been affected. Additionally, shortly after discovery of the event, Wabtec notified the Federal Bureau of Investigation.

The forensic investigation did reveal that certain systems containing sensitive information were subject to unauthorized access, and that a certain amount of data was taken from the Wabtec environment on June 26, 2022. The information was later posted to the threat actor’s leak site. On November 23, 2022, Wabtec, with the assistance of data review specialists, determined that personal information was contained within the impacted files. On December 30, 2022, Wabtec began notifying affected individuals, per relevant regulations, with a formal letter, to let them know their data was involved. 

What Information Was Involved.  The affected information varies by individual but includes a combination of the following data elements: First and Last Name, Date of Birth, Non-US National ID Number, Non-US Social Insurance Number or Fiscal Code, Passport Number, IP Address, Employer Identification Number (EIN), USCIS or Alien Registration Number, NHS (National Health Service) Number (UK), Medical Record/Health Insurance Information, Photograph, Gender/Gender Identity, Salary, Social Security Number (US), Financial Account Information, Payment Card Information, Account Username and Password, Biometric Information, Race/Ethnicity, Criminal Conviction or Offense, Sexual Orientation/Life, Religious Beliefs, Union Affiliation.

What Wabtec Is Doing. Wabtec is committed to and takes very seriously its responsibility to safeguard all data entrusted to it. As part of the company’s ongoing commitment to the security of personal information in its care, it has taken additional steps to reinforce the integrity and security of its systems and operations, including implementing additional procedural safeguards. Wabtec has been notifying all applicable regulatory and data protection authorities, as required.

What You Can Do | Potential Consequences. While there is no indication that any specific information was or will be misused, considering the nature of the incident and of the affected personal data, we cannot rule out that there may be attempts to carry out fraudulent activity. For this reason, Wabtec encourages individuals to remain vigilant against incidents of identity theft and fraud by reviewing their financial account statements and credit reports for any anomalies. Please see below for additional details in the different jurisdictions.

For More Information. If individuals have additional questions not addressed in this notice, they may contact a member of Wabtec's data privacy team by sending an email to privacy [at] wabtec [dot] com. Please see below for additional contact details in the different jurisdictions.

**********

Steps You Can Take to Help Protect Your Personal Data – US

If individuals in the US have additional questions not addressed in this notice, they may also call the dedicated assistance line at 1-888-505-4784 Monday through Friday from 9:00 am to 9:00 pm ET.

Wabtec encourages individuals to learn more about identity theft, fraud alerts, security freezes, and the steps they can take to protect themselves by contacting the consumer reporting agencies, the Federal Trade Commission, or their state Attorney General. 

Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228.  You may also contact the three major credit bureaus directly to request a free copy of your credit report, a security freeze, or a fraud alert.

 

Experian TransUnion Equifax
  Security Freeze  
Experian Credit Freeze
P.O. Box 9554
Allen, TX 75013		 TransUnion Credit Freeze
P.O. Box 160
Woodlyn, PA 19094		 Equifax Credit Freeze
P.O. Box 105788
Atlanta, GA 30348
1-888-397-3742 1-888-909-8872 1-800-685-1111
www.experian.com/freeze/center.html www.transunion.com/credit-freeze www.equifax.com/personal/credit-report-services
  Fraud Alert  
Experian Fraud Alert
P.O. Box 9554
Allen, TX 75013		 TransUnion Fraud Alert
P.O. Box 2000
Chester, PA 19016		 Equifax Fraud Alert
P.O. Box 105069 
Atlanta, GA 30348
1-888-397-3742 1-800-680-7289 1-888-766-0008
www.experian.com/fraud/center.html www.transunion.com/fraud-victim-resource/place-fraud-alert www.equifax.com/personal/credit-report-services

 

You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information on your credit report without your expressed authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. 

To request a security freeze, you will need to provide the following information:

  1. Your full name (including middle initial, as well as Jr., Sr., II, III, etc.);
  2. Social Security number;
  3. Date of birth;
  4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years;
  5. Proof of current address, such as a current utility bill or telephone bill;
  6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.);
  7. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.

As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years.

The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud.  Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.

**********

Steps You Can Take to Help Protect Your Personal Data – UK

Please find below some guidance around the practical steps you can take in the UK to protect yourself: 

  • We encourage you to get in touch with your bank and ask about additional security measures that can be implemented by your bank to protect your bank accounts.
  • Register for identity protection and credit monitoring services such as https://www.cifas.org.uk/organisations to guard against the risk of identity theft or fraud. If you think you have been a victim of fraud, report it to Action Fraud, the UK's national fraud and internet crime reporting centre on 0300 123 2040;
  • You can consider implementing two-factor authentication (2FA) where possible to protect your online accounts from unauthorised access as described in the following publication on the National Cyber Security Centre’s website: NCSC: 2fa;
  • Follow normal online hygiene by using secure passwords and monitoring your personal email and social media accounts for any unusual activity (for example, check your email accounts to ensure that your spam filters are set to capture any increase in unsolicited communications). Guidance concerning what to be vigilant for online can be found at: NCSC: Data Breaches and NCSC: Password;
  • If you receive unsolicited communications asking for personal data, do not reveal any full passwords, login details or account numbers without being certain of the identity of the person making the request. Do not click on links you do not recognise. The National Cyber Security Centre has published advice regarding suspicious emails on its website: NCSC: Suspicious Email. If you have received an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS) via report [at] phishing [dot] gov [dot] uk; and
  • If you receive unsolicited communications from a bank or financial provider, do not transfer any money without being certain of the identity of the person making the request. The Financial Conduct Authority has published guidance on identifying financial scams on its website: FCA: Scams.

**********

Atualização sobre Incidente de Segurança de Dados – Comunicação Pública de Incidente de Segurança da Informação

 

Nossas entidades Wabtec: Wabtec Corporation, Wabtec UK Limited e Wabtec Brasil Fabricação e Manutenção de Equipamentos Ltda., localizadas respectivamente nos E.U.A, Canadá, Reino Unido e Brazil (em conjunto “Wabtec”) estão neste ato comunicando publicamente acerca de um evento ocorrido no início deste ano que afetou informações pessoais de alguns indivíduos.

O que aconteceu.  Em 26 de junho de 2022, a Wabtec ficou ciente de uma atividade não usual nas suas redes e prontamente iniciou uma investigação interna. Foi determinado posteriormente que um malware já havia sido introduzido em alguns sistemas em 15 de março de 2022. A Wabtec, com o apoio de empresas líderes de mercado em segurança cibernética, analisou o escopo do incidente e, entre outros aspectos, determinou se dados pessoais foram afetados. Além disso, logo após a descoberta do evento, a Wabtec notificou o Federal Bureau of Investigation – FBI.

A investigação forense de fato revelou que certos sistemas, contendo informações sensíveis, foram acessados de modo não autorizado e que uma certa quantidade de dados foi retirada dos ambientes da Wabtec em 26 de junho de 2022. Tais informações foram posteriormente publicadas em site hacker voltado para vazamento de dados. A Wabtec, com a assistência de especialistas em revisão de dados, determinou que havia informações pessoais em alguns dos arquivos impactados. Em 30 de Dezembro de 2022, a Wabtec começou a notificar os indivíduos afetados, de acordo com as normas aplicáveis, com uma carta formal, com o objetivo de fazer com que esses indivíduos tenham conhecimento de que seus dados estavam envolvidos.

Quais Informações Estavam Envolvidas.  As informações afetadas variam de acordo com o indivíduo afetado, mas incluem a combinação dos seguintes dados: Nome e Sobrenome, Data de nascimento, Número de Identificação Nacional não americano, Número de Seguridade Social ou CPF, Número de Carteira de Motorista ou de Identificação Estadual, Número de Passaporte, Registro Médico/Informações sobre Seguro de Saúde, Fotografia, Gênero/Identidade de Gênero, Salário, Número de Seguridade Social (EUA), Informações sobre Contas Financeiras, Informações sobre Cartão de Pagamento, Nome de Usuário e Senha de Contas, Informações Biométricas, Raça/Etnia, Orientação/Vida Sexual, Crenças Religiosas, Filiação a Sindicato.

O que a Wabtec Está Fazendo. A Wabtec está comprometida com e considera de forma muito séria a sua responsabilidade em proteger todos os dados confiados a nós. Como parte do compromisso permanente da empresa relacionado à segurança das informações pessoas sob o seu cuidado, ela tem implementado medidas adicionais para reforçar a integridade e a segurança dos seus sistemas e operações, incluindo a implementação de mais salvaguardas procedimentais. A Wabtec notificou todas as autoridades regulatórias e de proteção de dados de acordo com as normas aplicáveis.

O que Você Pode Fazer | Potenciais Consequências.Enquanto não houver indicação de que qualquer informação específica foi ou será utilizada indevidamente, considerando a natureza do incidente e dos dados pessoais afetados, não podemos afastar a possibilidade de tentativas de atividades fraudulentas. Por essa razão, encorajamos você a permanecer vigilante contra incidentes de roubo de identidade e fraude a partir da revisão dos seus extratos bancários, financeiros e informativos de créditos para identificar qualquer anomalia. Veja abaixo mais detalhes sobre o tema.

Para Mais Informações. Questões adicionais que não foram endereçadas nessa comunicação podem ser encaminhadas a um membro do time de privacidade da Wabtec por meio do e-mail privacy [at] wabtec [dot] com ou o Encarregado de Dados, Henrique Tavares (henrique [dot] tavares [at] wabtec [dot] com, +55 31 999307520).

**********

Medidas que Você Pode Tomar Para Auxiliar na Proteção dos Seus Dados Pessoais - Brasil

Seguem abaixo algumas recomendações com medidas práticas que você pode tomar no Brasil para se proteger:

  • Nós encorajamos você a entrar em contato com o seus banco e solicitar medidas de segurança adicionais que podem ser implementadas pelo seu banco, a fim de proteger as suas contas bancárias;
  • Se você acreditar que tenha sido vítima de fraude, faça uma denúncia à Polícia Federal: Superintendencias e delegacias;
  • Você deve considerar implementar autenticação por dois fatores (2FA) conforme seja possível, a fim de proteger as suas contas online de acessos não autorizados, conforme descrito na seguinte publicação do Núcleo de Informação e Coordenação do Ponto BR (Nic.br):  NIC: autenticação;
  • Siga procedimentos normais de hygiene online utilizando senhas seguras e monitorando o seu e-mail pessoal e as suas contas de redes sociais contra qualquer atividade não usual (por exemplo, cheque as suas contas de e-mail para se assegurar que os filtros de spam estão configurados para capturar qualquer aumento em comunicações não solicitadas). Guia a respeito de ser vigilante online pode ser encontrado em NIC: senhas e NIC: privacidade
  • Se você receber comunicações não solicitadas pedindo por dados pessoais, não revele qualquer senha, detalhes de login ou números de conta, sem ter a certeza da identidade da pessoa realizando a solicitação. Não clique em links que você não reconheça. O Núcleo de Informação e Coordenação do Ponto BR (Nic.br) publicou alguns guias a respeito de (i) redes   NIC: redes (ii) computadores NIC: computadores e (iii) dispositivos móveis NIC: dispositivos móveis. Se você recebeu um e-mail sobre o qual você não tem certeza da procedência, envie-o para a Política Federal conforme indicado acima;
  • Se você recebeu comunicações não solicitadas de um banco ou um prestador de serviços financeiros, não transfira qualquer dinheiro sem estar certo da identidade da pessoa realizando a solicitação. O Banco Central do Brasil publicou um FAQ para identificar fraudes financeiras e como lidar com elas:   BCB: Alerta de golpes; e
  • Você pode solicitar gratuita e livremente um reporte dos seus créditos aos gestores oficiais de banco de dados de crédito: Serasa  (Serasa),  (Boa Vista), SPC (SPC) e Quod (Quod).

**********

Steps You Can Take to Help Protect Your Personal Information – Canada 

If individuals in Canada have additional questions not addressed in this notice, they may also call the dedicated assistance line at 1-888-505-4784 Monday through Friday from 9:00 am to 9:00 pm ET. Additionally, individuals may contact a member of Wabtec's Data Privacy Team by emailing privacy [at] wabtec [dot] com

1. Monitor Your Accounts

We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity.  You can access your free credit report from Equifax and TransUnion.

2. Place a Fraud Alert on Your Credit File

A fraud alert is a notice placed on your credit file that alerts creditors that you may be a victim of fraud. There are also two types of fraud alerts that you can place on your credit report to put your creditors on notice that you may be a victim of fraud: an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for at least 90 days. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years. You can place a fraud alert on your credit report by calling the toll-free fraud number of any of the two national credit reporting agencies listed below or visiting the listed websites.

3. Other Steps You Can Take

In addition to the above, we encourage you to:

  • Monitor your mail for any disruption in delivery. If you notice any irregularities (such as missing financial statements, payment card statements or other documents), report such irregularities to Canada Post;
  • Monitor your banking and card statements and report any suspicious activity in accounts;
  • Do not reply to, click links or open attachments to messages that are suspicious. Malicious messages may contain typos or bad grammar, have formatting errors, offer unsolicited freebies or ask recipients to disclose their financial information or passwords. Always verify that the source of a message is legitimate before responding or taking action; and
  • Be suspicious of any emails or text messages asking for personal information.

**********

Nos entités Wabtec : Wabtec Corporation, Wabtec UK Limited et Wabtec Brasil Fabricação e Manutenção de Equipamentos Ltda, situées respectivement aux États-Unis, au Canada, au Royaume-Uni et au Brésil (ensemble, « Wabtec ») vous informent d'un événement survenu au début de l'année qui a affecté les informations personnelles de certaines personnes.

Que s'est-il passé.  Le 26 juin 2022, Wabtec a pris conscience d'une activité inhabituelle sur son réseau et a rapidement lancé une enquête interne. Il a ensuite été déterminé qu'un logiciel malveillant avait été introduit dans certains systèmes dès le 15 mars 2022. Wabtec, avec l'aide de sociétés de cybersécurité de premier plan, a évalué la portée de l'incident pour, entre autres, déterminer si des données personnelles avaient pu être affectées. En outre, peu après la découverte de l'événement, Wabtec a informé le Federal Bureau of Investigation, aux États-Unis.

L'enquête judiciaire a révélé que certains systèmes contenant des informations sensibles ont fait l'objet d'un accès non autorisé et qu'un certain nombre de données ont été extraites de l'environnement de Wabtec le 26 juin 2022. Ces informations ont ensuite été publiées sur le site de fuite de l'acteur de la menace. Le 23 novembre 2022, Wabtec, avec l'aide de spécialistes de l'analyse des données, a déterminé que des informations personnelles étaient contenues dans les fichiers impactés. Le 30 Décembre 2022, Wabtec a commencé à notifier les personnes concernées, conformément aux réglementations pertinentes, par une lettre officielle, pour leur faire savoir que leurs données étaient concernées.

Quelles sont les informations concernées.  Les informations concernées varient selon les individus mais comprennent une combinaison des éléments de données suivants : Nom et Prénom, Date de naissance, Numéro d'assurance sociale ou code fiscal non américain, Sexe/identité sexuelle, Salaire, Numéro de compte financier, Informations d'accès au compte financier, Numéro de carte de paiement..

Ce que fait Wabtec. Wabtec s'engage et prend très au sérieux sa responsabilité de protéger toutes les données qui lui sont confiées. Dans le cadre de son engagement permanent envers la sécurité des informations personnelles qui lui sont confiées, la societé a pris des mesures supplémentaires pour renforcer l'intégrité et la sécurité de ses systèmes et de ses opérations, notamment en mettant en place des garanties procédurales supplémentaires. Wabtec a notifié toutes les autorités réglementaires et de protection des données applicables, tel que requis.

Ce que vous pouvez faire | Conséquences potentielles. Bien que rien n'indique que des informations spécifiques ont été ou seront utilisées à mauvais escient, compte tenu de la nature de l'incident et des données personnelles concernées, nous ne pouvons exclure la possibilité de tentatives d'activités frauduleuses. Pour cette raison, Wabtec encourage les personnes à rester vigilantes face aux incidents d'usurpation d'identité et de fraude en examinant leurs relevés de comptes financiers et leurs rapports de crédit pour détecter toute anomalie. Veuillez voir ci-dessous pour plus de détails.

Pour plus d'informations. Si les individus concernés ont des questions supplémentaires qui ne sont pas abordées dans cet avis, ils peuvent appeler la ligne d'assistance dédiée à cet effet au numéro de téléphone du centre d'appels 1-888-505-4784 du lundi au vendredi partir de 9 :00 am à 9 :00 pm ET. En outre, les personnes peuvent contacter un membre de l'équipe de confidentialité des données de Wabtec en envoyant un courriel à privacy [at] wabtec [dot] com.

 

Mesures que vous pouvez prendre pour aider à protéger vos renseignements personnels – Canada

1. Surveillez vos comptes

Nous vous encourageons à rester vigilant face aux incidents d'usurpation d'identité et de fraude, à examiner vos relevés de compte et à surveiller vos rapports de crédit pour détecter toute activité suspecte. Vous pouvez accéder gratuitement à votre dossier de crédit auprès d'Equifax et de TransUnion.

2. Placez une alerte à la fraude sur votre dossier de crédit

Une alerte à la fraude est un avis placé sur votre dossier de crédit qui avertit les créanciers que vous pourriez être victime d'une fraude. Il existe également deux types d'alertes à la fraude que vous pouvez placer sur votre dossier de crédit pour avertir vos créanciers que vous pourriez être victime d'une fraude : une alerte initiale et une alerte prolongée. Vous pouvez demander qu'une alerte initiale à la fraude soit placée sur votre dossier de crédit si vous pensez avoir été, ou être sur le point d'être, victime d'un vol d'identité. Une alerte initiale à la fraude reste sur votre dossier de crédit pendant au moins 90 jours. Une alerte prolongée peut être placée sur votre dossier de crédit si vous avez déjà été victime d'une usurpation d'identité et que vous disposez des preuves documentaires appropriées. Une alerte de fraude prolongée reste sur votre dossier de crédit pendant sept ans. Vous pouvez placer une alerte à la fraude sur votre dossier de crédit en appelant le numéro gratuit de l'une des deux agences nationales d'évaluation du crédit énumérées ci-dessous ou en consultant les sites Web indiqués

3. Autres mesures que vous pouvez prendre

En plus de ce qui précède, nous vous encourageons à:

  • Surveiller votre courrier pour déceler toute perturbation dans la livraison. Si vous remarquez des irrégularités (comme des états financiers, des relevés de cartes de paiement ou d'autres documents manquants), signalez-les à Postes Canada ;
  • Surveiller vos relevés bancaires et de cartes de paiement et signaler toute activité suspecte dans vos comptes;
  • Ne répondez pas aux messages suspects, ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes. Les messages malveillants peuvent contenir des fautes de frappe ou de grammaire, présenter des erreurs de formatage, offrir des cadeaux non sollicités ou demander aux destinataires de divulguer leurs informations financières ou leurs mots de passe. Vérifiez toujours que la source d'un message est légitime avant de répondre ou de prendre des mesures ; et
  • Méfiez-vous des courriels ou des SMS vous demandant des informations personnelles.