The Transport Workers Union of America Local 100, which represents more than 45,000 New York City transit employees, has confirmed it was the target of a ransomware attack carried out by the Qilin cybercriminal group. The breach, which the union says occurred in early April 2025, has potentially compromised the personal information of thousands of current and former members, raising fresh alarms about the vulnerability of labor organizations and public-sector adjacent entities to sophisticated cyber extortion campaigns.
The union, whose members operate the city’s buses, subways, and commuter rail systems, disclosed the incident in a notification to affected individuals and regulatory authorities. According to reporting by TechRadar, the attack was first detected on April 13, 2025, when TWU Local 100’s IT systems experienced disruptions consistent with a ransomware deployment. The union moved quickly to isolate affected systems and engaged third-party cybersecurity specialists to assess the damage and begin remediation efforts.
A Union Built for the Subway, Not for Cyberwarfare
TWU Local 100 is one of the most prominent labor unions in the United States, representing the workers who keep New York City’s sprawling mass transit system running. Its members include subway operators, bus drivers, maintenance workers, and station agents employed by the Metropolitan Transportation Authority. The union has long been a political force in New York City and state politics, negotiating contracts that affect the daily operations of a transit system used by millions of riders.
But like many labor organizations, TWU Local 100 does not possess the cybersecurity infrastructure of a Fortune 500 company or a federal agency. Unions collect and store vast quantities of sensitive personal data—Social Security numbers, addresses, dates of birth, financial information tied to dues and benefits—making them attractive targets for ransomware operators who understand that smaller organizations often have fewer defenses and may be more inclined to pay ransoms to recover encrypted data.
What Qilin Took—and What It Threatens to Release
The Qilin ransomware group, which has been active since at least 2022 and operates under a ransomware-as-a-service model, claimed responsibility for the attack. The group listed TWU Local 100 on its dark web leak site, a common tactic used to pressure victims into paying by threatening to publish stolen data. According to TechRadar, the compromised data may include names, Social Security numbers, dates of birth, and other personally identifiable information belonging to union members, retirees, and possibly their dependents.
TWU Local 100 stated in its breach notification that it is offering affected individuals credit monitoring and identity theft protection services, a standard response in the wake of data breaches involving Social Security numbers. The union has not publicly disclosed whether it paid or intends to pay a ransom, and Qilin’s demands have not been made public. Law enforcement agencies, including the FBI, have been notified, though the union has not detailed the extent of its cooperation with federal investigators.
Qilin’s Growing Rap Sheet and Evolving Tactics
Qilin, also tracked by some cybersecurity researchers under the name “Agenda,” has emerged as one of the more prolific ransomware operations in recent years. The group is believed to be Russian-speaking, though definitive attribution remains elusive. Qilin operates a ransomware-as-a-service platform, meaning it develops the malware and infrastructure while recruiting affiliates who carry out the actual intrusions in exchange for a percentage of any ransom payments collected.
The group gained significant notoriety in June 2024 when it attacked Synnovis, a pathology services provider for the United Kingdom’s National Health Service, disrupting blood testing and other diagnostic services across major London hospitals. That attack demonstrated Qilin’s willingness to target organizations whose disruption could have life-or-death consequences. The TWU Local 100 attack, while not directly threatening transit operations—the MTA’s systems were not affected—underscores the group’s broadening target selection, which now includes labor organizations, healthcare providers, manufacturing firms, and government contractors.
Labor Unions as Soft Targets in an Age of Digital Extortion
Cybersecurity experts have long warned that organizations outside the traditional corporate perimeter—nonprofits, unions, small municipalities, school districts—are increasingly in the crosshairs of ransomware groups. These entities often hold data that is just as sensitive as that maintained by large corporations, but they typically operate with a fraction of the cybersecurity budget. A 2024 report from the Cybersecurity and Infrastructure Security Agency noted that ransomware attacks on non-corporate entities had increased markedly, with attackers recognizing that these organizations often lack dedicated security operations centers, advanced endpoint detection tools, and incident response plans.
For TWU Local 100, the breach raises uncomfortable questions about data stewardship. Union members entrust their organizations with deeply personal information as a condition of membership and benefits enrollment. When that trust is violated—even through no direct fault of the union’s leadership—it can erode confidence in the institution itself. Several TWU Local 100 members, speaking to local media outlets, expressed frustration and concern about the potential for identity theft, particularly among retirees who may be less equipped to monitor their credit and financial accounts for signs of fraud.
The MTA Says Its Systems Were Not Breached
The Metropolitan Transportation Authority, which operates the transit systems where TWU Local 100 members work, was quick to clarify that its own networks and operational technology systems were not compromised in the attack. The MTA and TWU Local 100 maintain separate IT infrastructures, and there is no indication that the ransomware spread beyond the union’s own systems. This distinction is significant: a breach of MTA operational systems could have had direct implications for the safety and reliability of subway and bus service across the five boroughs.
Still, the incident serves as a reminder that the broader network of organizations connected to critical infrastructure—unions, contractors, vendors, consultants—can serve as indirect vectors for disruption. Supply chain and third-party attacks have become a defining feature of the modern threat environment, and the TWU Local 100 breach illustrates how an attack on a peripheral organization can still generate significant consequences for the workers and systems tied to essential public services.
Federal Response and the Broader Policy Debate
The FBI and CISA have both issued advisories about Qilin in recent months, warning organizations across sectors to patch known vulnerabilities, implement multi-factor authentication, and maintain offline backups. The federal government has made ransomware a top-tier national security priority since the Colonial Pipeline attack in 2021, but enforcement and prevention efforts have struggled to keep pace with the sheer volume and sophistication of attacks.
On Capitol Hill, the TWU Local 100 breach is likely to add fuel to ongoing debates about mandatory breach notification timelines, minimum cybersecurity standards for organizations that handle large volumes of personal data, and the question of whether ransom payments should be banned or regulated. Proponents of stricter regulation argue that too many organizations treat cybersecurity as an afterthought until they are victimized, while opponents contend that imposing rigid mandates on unions, nonprofits, and small entities would be financially burdensome and practically unworkable.
What Comes Next for TWU Local 100 and Its Members
In the near term, TWU Local 100 faces the dual challenge of restoring its IT systems and managing the fallout from the data exposure. The union has stated that it is working with cybersecurity firms to harden its defenses and prevent future intrusions. For the thousands of members whose data may now be circulating on dark web forums, the offered credit monitoring is a stopgap measure, not a permanent solution. Identity theft stemming from breaches of this nature can surface months or even years after the initial compromise.
The Qilin attack on TWU Local 100 is not an isolated event but part of a broader pattern in which ransomware groups are systematically targeting organizations that sit outside the hardened perimeters of major corporations and government agencies. Until labor unions, nonprofits, and similar entities receive the resources and guidance necessary to defend themselves, they will remain high-value, low-resistance targets for criminal enterprises operating with near impunity from jurisdictions beyond the reach of American law enforcement. For the men and women who drive New York City’s buses and operate its subway trains, the breach is a stark reminder that the risks of the digital age extend well beyond the platforms and tunnels where they work.