What happened in the Teamsters Local 175 data breach?

A ransomware group known as INC RANSOM gained unauthorized access to Teamsters Local 175's computer systems as early as January 2, 2026. The union did not detect the intrusion until March 4, 2026 — a 62-day undetected dwell period. The attackers exfiltrated member records before deploying ransomware. On March 13, 2026, the union filed a breach notice with the Maine Attorney General confirming 24,780 individuals were affected across West Virginia, Kentucky, Ohio, and Virginia.

What personal information was exposed in the Teamsters Local 175 breach?

The breach exposed three categories of personally identifiable information: full names combined with Social Security numbers, commercial driver's license (CDL) information, or both. The specific combination varied by individual. Social Security numbers are the most consequential category from an identity theft risk standpoint.

How many people were affected by the Teamsters Local 175 ransomware attack?

A total of 24,780 individuals in the United States were confirmed affected. This includes two Maine residents and seven Massachusetts residents. The overwhelming majority are current or former members and benefit plan participants based in West Virginia, Kentucky, Ohio, and Virginia — the four states where Teamsters Local 175 holds representation.

What should I do if I received a Teamsters Local 175 breach notification letter?

If you received a notification letter, enroll immediately in the complimentary credit monitoring services offered by Teamsters Local 175. Place a credit freeze with all three major bureaus — Equifax, Experian, and TransUnion. Credit freezes are free, do not affect your credit score, and prevent new accounts from being opened in your name. Also monitor your IRS account at IRS.gov for signs of tax fraud and review your Social Security Administration earnings record for unauthorized entries. Keep a copy of the breach letter for your records.

Is Teamsters Local 175 the only Teamster-affiliated organization hit by a breach recently?

No. Three Teamster-affiliated organizations have reported cybersecurity incidents within approximately nine months. In June 2025, Teamsters Local Unions 117, 174, and 763 in Washington State detected a network intrusion affecting 124,703 individuals. In August 2025, Teamsters Union 25 Health Services and Insurance Plan in Massachusetts disclosed a breach affecting 19,935 members that included protected health information. The Teamsters Local 175 breach was reported in March 2026.

Teamsters Local 175 Data Breach: INC RANSOM Hit Workers' SSNs and CDL Records

A ransomware group known as INC RANSOM spent more than two months inside the network of Teamsters Local 175 before the West Virginia union detected the intrusion. By the time it was over, the personal records of 24,780 workers—Social Security numbers, names, and commercial driver's license data—had been exposed and claimed on the dark web.

0 individuals affected

0 days undetected

0 teamster-affiliated total

0 INC RANSOM victims in 2025

On March 13, 2026, Teamsters Local 175 filed a breach notice with the Maine Attorney General's office, one of the country's most transparent state-level disclosure repositories for data breach filings. The notice confirmed that the union had experienced a ransomware attack dating back to at least January 2, 2026—nearly ten weeks before the organization detected unauthorized activity in its systems on March 4, 2026. Notification letters began reaching affected individuals on March 10, 2026, three days before the state filing. The union is based in South Charleston, West Virginia, and represents workers in West Virginia, Kentucky, Ohio, and Virginia.

The incident is already drawing attention from multiple class action law firms. Lynch Carpenter, LLP issued a statement on March 18, 2026 confirming it was investigating claims on behalf of affected members. Strauss Borrelli PLLC and Shamis & Gentile P.A. have also opened investigations. The legal activity signals that affected members view the breach as one involving a failure of reasonable care around sensitive data—not simply a criminal act outside the union's control.

What Happened and When

The attack timeline is one of the most significant details in this incident. According to the breach notice filed with Maine's Attorney General, an unauthorized third party first gained access to Teamsters Local 175's computer systems as early as January 2, 2026. The union did not detect this activity until March 4, 2026—a gap of roughly 62 days. That extended dwell time is consistent with how modern ransomware operations work: initial compromise, quiet reconnaissance, lateral movement across the network, data exfiltration, and only then the destructive encryption phase that forces victim organizations to notice. why this matters

// context layer

62 days is not exceptional by industry standards—the global median dwell time before detection has hovered between 10 and 24 days in recent years, but that median obscures a long tail. Many intrusions, particularly those involving patient, methodical actors like INC RANSOM affiliates, run 60 to 90 days or longer.

The significance here is practical: every day inside the network is another day to map file shares, locate member databases, identify backup locations, and exfiltrate records in small, traffic-blending bursts. By the time encryption fires and the union sees the problem, the data has been gone for weeks. That asymmetry is structural, not accidental.

For context: a 62-day dwell time on a network containing 24,780 member records, health fund data, and pension records means the adversary likely had time to exfiltrate everything they wanted and still leave unhurriedly.

INC RANSOM had already publicly claimed the attack before the union acknowledged it. Breach monitoring service Breachsense first recorded the group's dark web posting about Teamsters Local 175 on February 24, 2025, while Claimdepot's breach filing cites the claim date as February 21, 2025. Both dates predate the union's reported earliest access date of January 2, 2026 by approximately a year. The most credible interpretation, consistent with how INC RANSOM operates, is that the 2025 dark web posting reflects an earlier, separate reconnaissance or initial access event—or a data sample posted well before the full exfiltration and encryption campaign that unfolded in early 2026. Dark web claim dates recorded by monitoring services do not always align precisely with the attack window later confirmed in formal breach notices. The Maine Attorney General filing, Lynch Carpenter's March 18, 2026 announcement, and all legal filings collectively establish the confirmed active breach window as January 2, 2026 through discovery on March 4, 2026.

INC RANSOM Attack Timeline — Teamsters Local 175

From initial unauthorized access on January 2 to Maine AG disclosure on March 13, 2026 — a 62-day undetected dwell period

Once the union discovered the intrusion, it moved quickly: securing the network, engaging third-party forensic investigators, and beginning its review of affected data. The investigation confirmed that an unauthorized party had accessed systems containing personally identifiable information, and the union undertook the work of identifying precisely which individuals were impacted.

Note

Maine's breach notification law requires organizations to notify the Attorney General whenever a breach affects even a single Maine resident. The Teamsters Local 175 filing confirms two Maine residents were among the 24,780 affected. The state's public disclosure registry is a reliable primary source for verifying breach details including affected counts, data types, and notification timelines.

This Was Not the First Time

The broader Teamsters organization has confronted ransomware before—and its response then was notably different. In September 2019, the International Brotherhood of Teamsters was targeted in a ransomware attack over Labor Day weekend. The attackers demanded $2.5 million. According to NBC News reporting from 2021, union officials negotiated the figure down to $1.1 million, but ultimately declined to pay—an outcome driven in part by their insurance company, which pushed back against settlement. The FBI, by contrast, advised the union to pay. They refused. Instead, they rebuilt their network from archival material, recovering 99 percent of their data, including some retrieved from hard copies.

Two details about that 2019 incident matter directly to the 2026 Local 175 breach. First, no member personal information was compromised in 2019—the attack encrypted systems but did not exfiltrate member records. Second, that attack predated the era of double extortion. Ransomware groups in 2019 encrypted data and demanded payment for decryption keys. If the victim refused, the attacker moved on. There were no threats to publish stolen data because, in many cases, no data had been stolen.

Attacker type	Unknown / opportunistic
Ransom demanded	$2.5M (negotiated to $1.1M)
Data exfiltrated	No
Member data exposed	No
Double extortion	No
Outcome	Refused to pay. Rebuilt from backups. 99% data recovered.
Leverage type	Operational disruption only

Attacker	INC RANSOM (RaaS group, mid-2023–present)
Ransom status	Not disclosed publicly
Data exfiltrated	Yes — before encryption
Member data exposed	Yes — 24,780 records
Double extortion	Yes
Outcome	Data irrecoverably out of organization's control regardless of payment.
Leverage type	Permanent data exposure + operational disruption

INC RANSOM's attack on Local 175 operates under a completely different playbook. The group exfiltrated member data before triggering encryption—meaning that even a decision not to pay a ransom would not undo the exposure. The data was already out of the organization's control before Local 175 knew it was gone. That structural shift between 2019 and 2026 represents the central challenge ransomware poses today: the leverage is no longer just operational disruption. It is the permanent, irreversible exposure of people whose information was never theirs to give away. what this shift means

// implication layer

The 2019 Teamsters attack ended with a recoverable outcome: rebuilt systems, no member data at risk, no downstream fraud exposure. That outcome was structurally possible because the attacker only held operational leverage. Refuse to pay, accept the disruption, rebuild.

The 2026 model eliminates that escape path entirely. Once data has been exfiltrated, no security response, no ransom payment, and no amount of forensic cleanup changes what the adversary already holds. Refusing to pay doesn't retrieve stolen data—it only removes the theoretical possibility that the attacker might honor a deletion promise, which security researchers broadly consider unreliable anyway.

This is why the Teamsters' 2019 playbook no longer applies. The game changed at the infrastructure level, not at the policy level.

Who INC RANSOM Is

INC RANSOM is a ransomware-as-a-service (RaaS) operation that emerged in mid-2023. Unlike threat groups that splinter from existing criminal organizations, INC RANSOM appears to have been developed as an original creation. Security researchers at Halcyon characterize it as a financially motivated group that uses double-extortion tactics: attackers both encrypt victim data and exfiltrate it, then threaten to publish the stolen material on a dark web leak site if ransom demands go unmet.

According to SOSRansomware's 2025 threat analysis, INC RANSOM applies a methodical, selective approach, concentrating on organizations with large stores of sensitive data and the financial capacity to pay substantial ransoms rather than running indiscriminate mass campaigns.

The group's target selection is deliberate. Rather than running indiscriminate mass campaigns, INC RANSOM concentrates on organizations that hold large quantities of sensitive records and face strong institutional pressure to resolve incidents quickly. That calculus applies directly to labor unions, which maintain detailed records on tens of thousands of current and former members, including health and welfare fund data, pension information, and government-issued identification numbers.

INC RANSOM: How They Operate — Select a Stage

01 Initial Access

02 Establish Foothold

03 Lateral Movement

04 Exfiltration

05 Encryption

06 Extortion

Initial Access MITRE: T1190

INC RANSOM gains initial entry by exploiting known vulnerabilities in internet-facing systems, purchasing valid credentials from Initial Access Brokers, or delivering phishing campaigns. Key targets include Citrix NetScaler, Fortinet appliances, and SimpleHelp RMM (CVE-2024-57727). CISA added the SimpleHelp vulnerability to its Known Exploited Vulnerabilities catalog in February 2025 after confirming active ransomware exploitation.

CVE-2024-57727 Citrix NetScaler Fortinet Phishing IAB credentials

INC RANSOM's technical approach has evolved as security researchers have documented its tooling in greater detail. The group exploits known vulnerabilities in widely deployed remote access and management products. Citrix NetScaler and Fortinet appliances remain common initial access vectors. In 2025, affiliates actively exploited CVE-2024-57727, a path traversal vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software versions 5.5.7 and earlier. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities catalog on February 13, 2025, and issued a formal advisory in June 2025 warning that ransomware actors were leveraging it against downstream customers of managed service providers. INC RANSOM also obtains initial access through phishing and through valid credentials purchased from Initial Access Brokers operating on underground marketplaces. Once inside a network, the group uses legitimate tools for reconnaissance and lateral movement—NETSCAN.EXE and Advanced IP Scanner for network mapping, AnyDesk for remote desktop control, and file-sharing utilities like MEGASync for exfiltration. Encrypted files receive the .inc extension, and ransom notes titled INC-README.txt or INC-README.html are dropped on affected hosts. This living off the land technique makes detection significantly harder because the activity blends with normal administrative behavior — a pattern explored in detail in the analysis of how attackers use legitimate Windows tooling to evade and kill EDR defenses.

The group's growth has been substantial. Blackpoint Cyber's threat intelligence tracking recorded INC RANSOM listing 162 victims in 2024, with that number surpassing 300 in 2025. MOXFIVE's threat intelligence reporting through August 2025 confirmed INC was the single most deployed ransomware based on leak site victim volume in July 2025. Halcyon's data for the first half of 2025 shows healthcare organizations as the primary target, accounting for 29% of attacks, followed by manufacturing at 10% and education at 9%. Labor unions and other membership organizations are a growing category as ransomware operators expand their focus beyond the sectors they have historically concentrated on.

In March 2024, an actor within the criminal underground announced the sale of INC RANSOM's complete source code for approximately $300,000, limiting sales to three buyers. That commercialization produced a derivative variant called Lynx ransomware, which shares roughly 70% code similarity with INC RANSOM. The existence of derivative strains means that even if INC RANSOM's core infrastructure were disrupted, its tooling and techniques would persist in the ecosystem.

Why Labor Unions Are Targets

The Teamsters Local 175 attack is not an isolated incident in the labor union sector. On June 16, 2025, Teamsters Local Unions 117, 174, and 763 in Washington State detected a network intrusion that compromised member PII including Social Security numbers, dates of birth, and addresses. That incident was reported to the Washington State Attorney General on July 15, 2025, and affected 124,703 individuals—a figure that underscores the scale of member data these organizations hold. In August 2025, Teamsters Union 25 Health Services & Insurance Plan (known as TeamstersCare) in Massachusetts disclosed a separate breach affecting 19,935 members, with the compromised data including protected health information such as member IDs and health insurance details in addition to standard PII. the pattern

// pattern recognition layer

Three distinct Teamster-affiliated organizations. Three breaches within nine months. Combined, they account for more than 168,000 individual exposure events. That is not a coincidence of timing—it reflects a deliberate target category.

Ransomware operators share intelligence. When one affiliate finds that a labor union has limited security tooling, large member databases, and institutional pressure to resolve incidents quietly, that profile gets circulated. Other affiliates test similar organizations. The success rate confirms the model, and the targeting intensifies.

Whether the three Teamster incidents share any common attack infrastructure has not been publicly established. But the pattern of repeated targeting within a single organizational type is itself a signal: unions broadly should treat this as a sector-level warning, not as three isolated events.

Teamster-Affiliated Breaches — 9-Month Pattern

Organization

Date

Affected

Status

Locals 117, 174 & 763 (WA)

Jun 2025

124,703

Actor unnamed

TeamstersCare Local 25 (MA)

Aug 2025

19,935

Actor unnamed

Local 175 (WV)

Mar 2026

24,780

INC RANSOM

Three distinct Teamster-affiliated entities have now reported cybersecurity incidents within the span of roughly nine months, a pattern that reflects how ransomware operators identify and repeatedly target an organizational category once they have developed effective techniques against it. The total number of individuals affected across these three incidents exceeds 168,000.

Labor unions present a specific combination of characteristics that ransomware actors find attractive. They maintain extensive member databases spanning decades of employment history. They hold health and welfare fund records, which in many cases contain protected health information in addition to standard PII. They operate with relatively small administrative staffs—Teamsters Local 175 employs approximately ten individuals—which means security resources are limited. And their member obligations create pressure to resolve incidents quickly and maintain trust with the workers they represent.

What Was Exposed and Who Is Affected

The breach notice confirmed three categories of information were potentially exposed, though the specific combination varies by individual. Affected records include full names combined with Social Security numbers, commercial driver's license information, or both. Social Security numbers are the most consequential category from an identity theft risk standpoint. Combined with a full name, a stolen SSN enables fraudulent tax filings, unauthorized credit applications, benefits fraud, and the creation of synthetic identities that can persist for years before detection.

In total, 24,780 individuals across the United States were confirmed affected. The breach notice filed with the Maine Attorney General's office shows two Maine residents among the affected population, and the Massachusetts Attorney General's filing confirms seven Massachusetts residents. The overwhelming majority of affected individuals are current or former members and benefit plan participants based in West Virginia, Kentucky, Ohio, and Virginia—the four states where Teamsters Local 175 holds representation.

Founded in 1940, Teamsters Local 175 represents workers in the construction, transportation, and warehouse industries. The membership includes truck drivers, warehouse employees, mechanics, and construction apprentices. The union also maintains health and welfare funds covering both active members and retirees, which means the affected individuals span the full employment lifecycle of union membership—not just current workers.

CDL Holders: Additional Steps to Take

If your commercial driver's license information was included in the breach, contact your state's Department of Motor Vehicles to place a flag or alert on your CDL record. Verify that no unauthorized endorsement changes or medical certification updates have been filed. Report any discrepancies to the Federal Motor Carrier Safety Administration (FMCSA). Fraudulent CDL credential activity can affect your professional standing and insurability, not just your personal finances.

Claimdepot.com's March 2026 breach investigation report notes that federal and state laws provide legal recourse for individuals whose sensitive personal data is exposed because an organization failed to secure it adequately.

If You Received a Notice Letter

Teamsters Local 175 is providing affected individuals with complimentary credit monitoring services. If you received a notification letter, enroll in those services immediately, place a fraud alert or credit freeze with all three major bureaus (Equifax, Experian, TransUnion), monitor your IRS account at IRS.gov for signs of tax fraud, and review your Social Security Administration earnings record for unauthorized entries. Keep a copy of the breach letter for your records.

Legal Action and Regulatory Filings

Multiple law firms moved rapidly once the breach became public. Lynch Carpenter, LLP issued a formal investigation announcement on March 18, 2026, the same day this article was published, through GlobeNewswire. Strauss Borrelli PLLC published its investigation notice on March 16, 2026, noting that while the specific types of information exposed vary by individual, the breach involved sensitive PII with broad potential for downstream harm. Shamis & Gentile P.A. is also investigating through a case intake process managed by Claimdepot.com.

The legal theory underlying these investigations centers on whether Teamsters Local 175 exercised reasonable care in protecting the sensitive information entrusted to it by its members. Ransomware attacks are criminal acts perpetrated by external threat actors, but data breach litigation focuses on the victim organization's security posture, its detection and response timelines, and whether adequate safeguards were in place before the incident. A 62-day undetected dwell time will be a central point of scrutiny in any future legal proceedings. reasonable care in context

// legal context layer

In data breach litigation, courts assess whether the organization had controls proportionate to the sensitivity of the data it held and the risk environment it operated in. The standard is not perfection—it is reasonable care for an organization of that size, with those resources, holding that type of data.

The 62-day dwell time creates an evidentiary problem for the union because detection is itself a security control. Basic endpoint detection, network anomaly monitoring, and log review are all mechanisms that can surface unauthorized activity. A two-month undetected presence suggests either those controls were absent, misconfigured, or understaffed.

The fact that Local 175 employs approximately ten people is not necessarily a defense. Organizations handling tens of thousands of members' SSNs are generally expected to maintain security controls scaled to that responsibility, even if they outsource implementation to managed service providers.

Two questions that affected members will reasonably ask are not answered in any public filing. The first is whether Teamsters Local 175 paid a ransom. The breach notice, state AG filings, and law firm announcements make no mention of a ransom payment or a refusal to pay. The union has not made a public statement on this point. Given INC RANSOM's double-extortion model — the same playbook used in the SafePay ransomware attack on Conduent — any ransom payment would address the encryption side of the attack—it would not and could not erase the data already exfiltrated from the organization's systems before the encryption event occurred. The second question is whether INC RANSOM followed through on its threat to publish the stolen data. The group's standard practice is to list non-paying victims on its dark web leak site and publish samples of stolen records as leverage. As of the date this article was published, no confirmation that the Teamsters Local 175 member data has been fully published has appeared in public threat intelligence sources. That status can change. Affected individuals should not treat the absence of a public data dump as a guarantee that their information has not been circulated privately within criminal networks.

The regulatory picture involves at minimum two state filings: Maine and Massachusetts, with the Maine AG filing serving as the primary public reference. Organizations operating in Maine are required to notify the AG and affected residents under Maine's data breach notification statute. The breach notice confirms written notices were sent to affected individuals beginning March 10, 2026, before the state filing on March 13—an ordering that satisfies Maine's notice-first requirements.

It should be noted that the Teamsters organization more broadly has faced a difficult run of cybersecurity incidents in recent months. The August 1, 2025 incident affecting TeamstersCare (Teamsters Union 25 Health Services & Insurance Plan) in Massachusetts affected 19,935 members and included protected health information—a more expansive data type than the PII exposed at Local 175. The June 16, 2025 incident affecting Locals 117, 174, and 763 in Washington State affected 124,703 individuals. And now this breach at Local 175 in West Virginia. Whether these incidents share any common attack infrastructure or represent independent opportunistic attacks by different threat actors has not been publicly established. No threat actor has been publicly named in connection with the Washington State or TeamstersCare incidents.

Key Takeaways and What Should Change

What the Evidence Shows

The dwell time matters: INC RANSOM had access to Teamsters Local 175's systems for roughly 62 days before detection. Extended dwell time is a hallmark of sophisticated ransomware operations and significantly increases the volume of data that can be exfiltrated before an organization responds.
CDL exposure adds professional risk: The inclusion of commercial driver's license information alongside Social Security numbers means affected truck drivers and other CDL holders face identity fraud risk that extends to their professional credentials, not just their personal finances.
Labor unions are an emerging ransomware target category: Three Teamster-affiliated organizations have now reported breaches within nine months, with a combined total exceeding 168,000 affected individuals. Small administrative staffs, extensive member records, and institutional pressure to resolve incidents quickly make unions an attractive target profile for double-extortion operations.
INC RANSOM's scale is growing: The group claimed more than 300 victims in 2025, up from 162 in 2024. Its RaaS model means affiliate actors carry out attacks while the core group provides tooling and infrastructure, broadening the pool of potential attackers operating under its banner.
Ransomware has structurally changed since the Teamsters last faced it: The International Brotherhood of Teamsters refused to pay a $2.5 million ransom in 2019 and rebuilt its systems without exposing member data. That outcome was possible because the 2019 attack was encryption-only. INC RANSOM's 2026 attack on Local 175 exfiltrated member records before encrypting systems. Refusing to pay does not retrieve stolen data. The leverage has shifted permanently.
The data publication question remains open: INC RANSOM operates a dark web leak site and threatens to publish stolen records if ransom demands go unmet. As of publication, no confirmed full release of Teamsters Local 175 member data has appeared in public threat intelligence sources. Affected individuals should monitor their accounts and credit reports regardless, as data circulated privately in criminal networks may not appear in any public disclosure.

What Affected Members Should Do

Credit freezes are free, effective, and reversible. Place one with all three bureaus — Equifax, Experian, and TransUnion — not just a fraud alert, which is weaker. Monitor your IRS account at IRS.gov for unauthorized filings. Review your Social Security Administration earnings record. If your CDL was part of the exposed data, contact your state DMV and the Federal Motor Carrier Safety Administration to flag your record for unauthorized changes. Do not rely on the complimentary credit monitoring alone — it alerts you after damage occurs; a freeze prevents it from being possible in the first place.

SSN exposure in combination with CDL data is a particularly dangerous pairing because it gives a fraudster both the identity anchor and a professional credential pathway. Synthetic identity fraud using CDL records is a documented vector for freight and logistics fraud, insurance fraud, and commercial credit fraud. The harm timeline can extend years beyond the breach date.

What Labor Unions Should Be Doing Differently

The solutions most commonly proposed after breaches like this — patch faster, train users on phishing, buy cyber insurance — are real but surface-level. They address individual controls without addressing the structural vulnerabilities that made Teamsters Local 175 attractive to INC RANSOM in the first place. Three more substantive areas deserve attention from union leadership and the broader labor sector.

Adopt a data minimization policy with mandatory retention schedules. Labor unions routinely hold decades of member records because there is no internal pressure to delete them. Former members, retirees, and workers from defunct contracts remain in databases long after any operational need for their data exists. A formal data minimization policy — one that specifies retention periods by data type and automates deletion or archiving when those periods lapse — directly reduces the blast radius of any future incident. The 24,780 individuals affected here span the full membership lifecycle precisely because no such policy appears to have constrained what was accessible. Minimization is not an IT task; it requires policy decisions by union leadership about what data is actually necessary to hold.

Implement network segmentation that isolates member PII from operational systems. INC RANSOM affiliates use lateral movement tools specifically designed to traverse flat networks — environments where once you are inside, you can reach everything. A union's payroll and health fund databases should not be reachable from the same network segment as email, shared drives, and member-facing portals. Segmentation does not stop initial access, but it forces attackers to make additional, noisier moves to reach sensitive data. It also contains the blast radius when encryption fires. Flat network architecture is common in small organizations because it is simpler to manage, but for organizations holding tens of thousands of SSNs, that simplicity is a structural liability.

Contract for continuous detection, not periodic scanning. A 62-day dwell time suggests either no monitoring of network anomalies, or monitoring that was not tuned to detect the behaviors INC RANSOM affiliates actually produce. Lateral movement via NETSCAN.EXE, AnyDesk remote sessions, and MEGASync upload bursts are detectable with properly configured security information and event management (SIEM) tooling or a managed detection and response (MDR) provider. Unions with small IT staffs cannot realistically staff a 24/7 security operations function internally, but they can contract for MDR services at price points calibrated for mid-sized organizations. The key contractual requirement is behavioral detection with defined escalation timelines — not a service that generates weekly PDF reports. The question to ask any MDR vendor is: at what point in INC RANSOM's documented kill chain would your service have generated an alert, and what is the escalation path from that alert to isolation of affected endpoints?

Apply CISA's Known Exploited Vulnerabilities catalog as an internal patching priority queue. CVE-2024-57727, the SimpleHelp vulnerability CISA added to its KEV catalog in February 2025, was being actively exploited in ransomware campaigns months before the Teamsters Local 175 breach window opened. The KEV catalog exists precisely so that organizations without large security teams have a clear, prioritized list of vulnerabilities that are actively being weaponized. Any internet-facing system running software on that list should be treated as a critical remediation item within 24 to 72 hours of the KEV addition, not in the next quarterly patch cycle. Unions using managed service providers should require contractual language that ties the MSP to KEV-based patch timelines, not general-purpose patch schedules.

Establish a sector-level threat intelligence sharing arrangement. The three Teamster-affiliated breaches within nine months almost certainly generated indicators of compromise — IP addresses, file hashes, domain names, tooling signatures — that could have been shared across the broader union sector. Currently there is no formal mechanism for labor unions to share threat intelligence the way financial institutions share through FS-ISAC or healthcare organizations share through H-ISAC. A union-sector ISAC, even an informal one coordinated through the AFL-CIO's technology or legal staff, would allow an organization that discovered an INC RANSOM intrusion to push indicators to peer organizations before the same affiliate moved laterally to the next target. The absence of such a mechanism is not inevitable — it is a gap that union leadership could close with deliberate organizational effort.

The Teamsters Local 175 breach is a clear example of how ransomware operators now approach organizations that have historically been outside the primary target set. Unions exist to protect workers. When a union's own security posture fails those same workers, the harm lands on people who may already be navigating difficult economic circumstances. The legal and reputational consequences of this incident will unfold over the coming months. What is certain today is that 24,780 individuals are now carrying the burden of an exposure they had no role in creating.