Transport Workers Union (TWU) Local 100 has confirmed a cybersecurity incident resulting in a data breach affecting an estimated 10,000 to 100,000 records. The breach was first disclosed on April 24, 2026, via an attorney general filing, marking another significant compromise targeting organized labor infrastructure in the transportation sector.

What Happened

TWU Local 100, the New York City based union representing tens of thousands of transit workers across the Metropolitan Transportation Authority (MTA) system, formally disclosed a confirmed data breach through a regulatory attorney general filing on April 24, 2026. The disclosure was logged in public incident trackers the following day. While the union has not yet released a full technical narrative of the intrusion, the classification of the event as a "confirmed breach" rather than a "suspected" or "investigative" event indicates that exfiltration or unauthorized access to sensitive records has been verified by the organization or its incident response partners.

The estimated impact range of 10,000 to 100,ACE000 records places this incident in the mid tier of union sector breaches, but the population affected is particularly sensitive given the role TWU Local 100 plays in representing critical infrastructure workers.

What Was Taken

Public filings confirm four categories of data types were impacted in the incident, though the union has not yet enumerated each category in full public detail. Based on standard breach patterns affecting labor organizations of this size and the regulatory threshold that triggered an attorney general filing, the exposed data set is highly likely to include:

• Member personally identifiable information (PII), including full names, home addresses, and dates of birth
• Social Security numbers or other government issued identifiers, the typical trigger for state level AG notification
• Financial account or dues payment information tied to payroll deduction records
• Employment data linking members to specific transit roles, depots, or MTA divisions

Records affected fall in the 10,000 to 100,000 range, suggesting a substantial portion of the membership roster was exposed.

Why It Matters

TWU Local 100 represents workers who keep New York City's subway and bus systems operational. A compromise of this membership database is not merely a privacy event; it is a soft targeting opportunity for adversaries interested in transit sector personnel. Threat actors with state aligned or financially motivated objectives can leverage member rosters for spear phishing campaigns aimed at MTA employees, social engineering against transit operations staff, or identity fraud at scale against a workforce that historically has limited cybersecurity training compared to corporate environments.

Labor unions have become an increasingly attractive target over the past 24 months. They typically hold large volumes of PII, operate with constrained IT budgets, and serve as a single pivot point that touches multiple downstream employers. A breach at the union level can cascade into credential reuse risk and pretexting attacks against the underlying transit authority itself.

The Attack Technique

The specific intrusion vector has not been publicly disclosed in the initial filing. Tracked timeline events for the incident are limited to four entries as of April 25, 2026, and no threat actor has publicly claimed responsibility on monitored leak sites at the time of writing. Common vectors observed in comparable union sector breaches over the past year include:

• Compromise of third party member management or dues processing platforms
• Phishing led credential theft against union administrative staff
• Exploitation of unpatched VPN or remote access appliances
• Ransomware operator pre encryption exfiltration, with public extortion expected to follow disclosure if applicable

Defenders should treat the absence of an attribution claim as a temporary state and monitor leak site postings over the coming weeks.

What Organizations Should Do

Transit sector employers, peer labor organizations, and any entity sharing membership data with TWU Local 100 should take the following steps immediately:

1. Treat MTA and transit worker email addresses as elevated phishing risk. Push tuned awareness messaging and tighten inbound mail filtering for the affected population.
2. Audit shared data flows with the union. Identify any integrations, SFTP feeds, or API connections that could allow lateral movement from a compromised union environment into employer systems.
3. Force credential rotation for any shared service accounts used between union systems and employer or vendor platforms, and enforce MFA on all remaining access paths.
4. Monitor for identity fraud indicators against the affected workforce, including new account openings, payroll redirect attempts, and benefits fraud filings.
5. Brief executive protection and HR teams on the heightened risk of impersonation attempts referencing union membership, dues, or grievance processes.
6. Engage with the union's incident response disclosure as it is updated, and revisit third party risk ratings for labor partners to reflect the current threat environment.

Sources: Transport Workers Union Local 100 Cybersecurity Incident Details - Board Cybersecurity