Ransomware victim disclosure
← All victimsCompanhia Paulista de Trens Metropolitanos (CPTM)
listed as CPTM · Claimed by Blackbyte · listed 4 years ago
Status timeline
- ListedDec 29, 2022
- Data leakeddate unknown
At a glance
About the victim
AI dossier — public-source company profileCPTM (Companhia Paulista de Trens Metropolitanos) is a state-owned commuter rail operator under the Secretariat of Urban Transportation of the State of São Paulo, Brazil. Created in 1992 through the merger of several railways, it operates a metropolitan rail network serving Greater São Paulo across 97 stations and approximately 2.5 million daily passengers.
- Industry
- Public Commuter Rail Transit
- Address
- São Paulo, SP, Brazil
- Founded
- 1992
Attack summary
Severity: critical — CPTM is a state-owned public transit operator serving ~2.5 million daily passengers; it is critical infrastructure. Data_published status confirms exfiltration. A breach of a government-owned rail operator likely involves PII of employees and potentially passengers, as well as sensitive operational and infrastructure data.Blackbyte claims to have attacked CPTM and has published data ('data_published' status), suggesting confirmed exfiltration of company data. No specific ransom amount or data size was stated in the post.
Data the group says was taken
AI dossier — extracted from the leak post- Internal corporate documents
- Government/public-sector operational data
- Potentially employee and HR records
- Potentially citizen/passenger data
What the group claims
The São Paulo Metropolitan Train Company is a commuter rail system owned by the Secretariat of Urban Transportation of the State of São Paulo. It was created in 1992 with the merger of several railways in Greater São Paulo, Brazil.
Sources
- Victim sitecptm.sp.gov.br/
Source
Indexed 4 years agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

