Tramsa Mobility on the Ropes: Dealing with a Cyberattack (A) Custom Case Solution & Analysis

1. Evidence Brief

Financial Metrics

• Ransom Demand: 5 million Euro in Bitcoin requested by LockBit 2.0. (Exhibit 1)
• Potential Regulatory Fines: Up to 4 percent of annual global turnover under GDPR for data breach mismanagement. (Paragraph 14)
• Daily Operational Loss: Estimated at 450,000 Euro in lost ticket revenue and operational inefficiencies. (Exhibit 3)
• Insurance Coverage: Cyber-insurance policy limit of 2 million Euro, with a 500,000 Euro deductible. (Paragraph 22)

Operational Facts

• System Status: 100 percent of central servers encrypted; ticketing, route optimization, and internal communication systems are offline. (Paragraph 4)
• Fleet Impact: 1,200 buses and 45 trains operating on manual schedules, resulting in 35 percent delays. (Paragraph 7)
• Data Compromise: 1.2 Terabytes of data exfiltrated, including employee records and 500,000 customer profiles. (Paragraph 9)
• Backup Integrity: Primary and secondary digital backups were connected to the network and are also encrypted. (Paragraph 11)

Stakeholder Positions

• Jordi (CEO): Primary concern is public reputation and the 72-hour ultimatum before data publication. (Paragraph 18)
• Marc (CIO): Opposes payment; argues that decryption keys from criminals are unreliable and the network remains infected. (Paragraph 20)
• Elena (CFO): Analyzes the 5 million Euro cost against the projected 15 million Euro cost of a full manual rebuild. (Paragraph 21)
• Pilar (Communications): Reports a 400 percent increase in social media complaints and calls for immediate transparency. (Paragraph 25)

Information Gaps

• The exact age and viability of the off-site physical tape backups mentioned in the 2021 audit.
• The specific decryption success rate for LockBit 2.0 variants in the transport sector.
• Whether the 1.2 Terabytes of stolen data includes unencrypted payment card industry (PCI) data.

2. Strategic Analysis

Core Strategic Question

• Should Tramsa Mobility pay the 5 million Euro ransom to regain operational control and prevent a data leak, or refuse and undertake a costly, long-term system reconstruction?

Structural Analysis

Applying the Crisis Management Framework, the situation is a high-consequence, low-time-buffer event. The threat is not just operational downtime but the permanent erosion of public trust in a state-regulated utility. The bargaining power of the attacker is currently absolute because the company failed to air-gap its backups. However, paying the ransom creates a moral hazard and does not guarantee that the malware is removed or that the data will not be sold regardless.

Strategic Options

Preliminary Recommendation

Tramsa should refuse to pay the ransom. The CIO correctly identifies that paying a criminal organization for a key does not fix the underlying vulnerability. The company must pivot immediately to a full-scale manual rebuild of the environment on a new cloud infrastructure. This path is more expensive but is the only way to ensure the integrity of the transport network moving forward.

3. Implementation Roadmap

Critical Path

• Hour 0 to 12: Isolate all physical hardware and terminate all external network connections to prevent further propagation.
• Hour 12 to 36: Provision a clean-room cloud environment and begin restoring the ticketing engine using the 2021 physical tape backups.
• Hour 36 to 72: Execute the mandatory GDPR notification to the Data Protection Authority and all affected customers.
• Day 4 to 10: Phased rollout of the route optimization system, prioritizing high-traffic urban corridors.

Key Constraints

• Talent Scarcity: The internal IT team is exhausted and lacks forensic expertise; external cybersecurity firms must be onboarded within 6 hours.
• Public Trust: Every hour of service delay increases the likelihood of government contract termination.
• Regulatory Deadline: The 72-hour GDPR window is non-negotiable; failure to report leads to maximum fines regardless of the ransom outcome.

Risk-Adjusted Implementation

The strategy assumes the physical tapes from 2021 are readable. If those tapes fail, the implementation must shift to a manual data entry process from paper records, which will extend the recovery timeline by 14 days. Contingency involves leasing temporary ticketing hardware to maintain cash flow while the primary servers are rebuilt.

4. Executive Review and BLUF

BLUF

Tramsa Mobility must refuse the 5 million Euro ransom demand. Payment offers no structural security and provides no legal protection against GDPR penalties. The company should immediately initiate a clean-build recovery on new infrastructure. While this will result in 10 days of significant service disruption and a 15 million Euro reconstruction cost, it preserves the long-term viability of the firm. The 72-hour regulatory notification window is the priority. Total transparency with the public is the only path to retaining the operating license.

Dangerous Assumption

The most consequential unchallenged premise is that the 2021 physical tape backups are functional and comprehensive. If these tapes are corrupted or incomplete, the recovery timeline doubles, and the CFO calculations for the rebuild option become obsolete.

Unaddressed Risks

• Secondary Extortion: Even if the ransom is paid, the attackers may return in 6 months demanding more money to keep the same data private.
• Contractual Default: The analysis overlooks the specific clauses in the municipal transport contracts that allow for immediate termination in the event of a 72-hour total service cessation.

Unconsidered Alternative

The team failed to consider a partial payment strategy where Tramsa offers a nominal fee (e.g., 500,000 Euro) specifically for a proof-of-life sample of the most sensitive data, while simultaneously proceeding with the full rebuild. This could buy time without committing to the full 5 million Euro loss.

Verdict

APPROVED FOR LEADERSHIP REVIEW