The National Railroad Passenger Corporation (Amtrak) has disclosed a data breach that could result in a customer personally identifiable information (PII) compromise.
On 16 April 2020, the data breach was discovered. In a letter to the Vermont Attorney General’s Office, published on April 29, the rail service said an unknown third party managed to access Amtrak Guest Rewards accounts fraudulently.
The Amtrak Guest Rewards service allows, among other offers, passengers to rack up points when traveling to exchange discounts, hotels and gift cards.
The attack vector involved compromised usernames and passwords which might suggest using previously leaked or stolen credentials or using brute-force methods.
Amtrak says some personal information could be viewed, although the company did not specifically say what data might have been compromised. Amtrak was however keen to stress that the data leak did not involve social security numbers, credit card information and other financial data.
Users who receive notification that their Amtrak Guest Rewards account might have been included in the breach will also note that their accounts will have an active, forced reset of passwords.
The security team at the company said that access was revoked “within a few hours” after suspicious activity was detected.
Amtrak said in a statement the company is “[taking] this matter very seriously and is taking steps to help prevent these incidents from happening again.”
External cybersecurity experts were involved in investigating the problem — alongside law enforcement — and Amtrak is working to improve its security posture.
At present, Amtrak claims there is no proof that customer information has been abused, for example by sales or identity theft. Affected customers are offered one year of free Experian credit supervision.
Travel is an industry that attracts cyberattackers due to the collection, processing and storage of valuable customer information organisations.
In March, the Marriott hotel chain reported a security incident where an attacker could access data belonging to approximately 5.2 million customers, and two months later, easyJet said the PII of up to nine million customers could have been stolen, including several thousand credit card records.
A data breach can have expensive consequences — and not only in terms of damage compensation, inquiries, and regulator fines. Lawsuits brought for reimbursement on behalf of customers are popular, as in the case of easyJet, which is now facing a class action lawsuit worth £ 18 billion ($22 billion).