A ransomware crew known as Qilin says it broke into the Transport Workers Union’s Local 100 and dumped stolen files on its dark web leak site, potentially exposing the personal information of tens of thousands of New York City transit workers and retirees. The powerhouse chapter represents subway and bus operators, maintenance crews and other MTA staff across all five boroughs. Union leaders and cyber experts warn the leak could fuel targeted phishing attempts, identity theft and benefits fraud for current and former members.
What happened
Qilin listed TWU Local 100 on its victim blog and published sample files, raising urgent questions about how deep the breach goes, as reported by Cybernews. The chapter represents roughly 41,000 active workers and 26,000 retirees, about 67,000 people in total, any of whom could see names, contact details or benefit information land in criminal hands.
What data may be at risk
According to the union’s public materials and reporting on the incident, the compromised records could include full names, basic contact information, job titles and salary details. They may also cover medical and insurance benefits, retirement and pension planning, housing assistance files, grievance and disciplinary records and other casework, as outlined by TechRadar Pro. Even without Social Security numbers or bank account details, those personnel and benefits files are gold for scammers looking to build convincing, targeted cons.
Why unions are attractive targets
Security analysts point out that unions often hold a rich mix of personnel data and benefits information that criminals can use to impersonate members or union officials, then pry loose pension payments or other funds. Qilin has rapidly scaled its operations in recent years and runs as a Ransomware as a Service outfit that claimed hundreds of victims in 2025, according to industry tracking at Comparitech.
What members should do now
Members are being urged to treat any sudden email or text with kid gloves, especially messages that ask them to click links, update passwords or share personal details. Instead of trusting a random link, they should verify any supposed union communication by calling known Local 100 phone numbers or using official contact channels. The Federal Trade Commission’s IdentityTheft.gov site lays out a detailed recovery plan, including how to place fraud alerts, freeze credit and report identity theft, and is widely regarded as the best starting point after a breach, see IdentityTheft.gov. Local coverage has also urged members and retirees to keep a close eye on bank and benefits statements and report anything suspicious to their banks and to the union.
Legal and union obligations
Because thousands of New York residents may be affected, the incident is likely to trigger state breach notification rules under New York’s SHIELD Act, which requires prompt consumer notice and sets out security safeguards and penalties for failing to notify. Guidance from the New York Attorney General notes that when a breach affects more than 5,000 New Yorkers, organizations must submit details through the Attorney General’s breach reporting portal and also notify credit reporting agencies.
TechRadar Pro reported that it contacted TWU Local 100 for comment and had not yet received a response at the time of publication. This story will be updated if the union, the MTA or law enforcement release additional details or guidance. Until then, members and retirees are being advised to treat unexpected messages with extra skepticism and to flag anything suspicious to their financial institutions, the union and relevant authorities.
