Amtrak discloses data breach, potential leak of customer account data

The rail service says that customer PII may have been compromised.
Written by Charlie Osborne, Contributing Writer

The National Railroad Passenger Corporation (Amtrak) has disclosed a data breach that may have resulted in the compromise of customer personally identifiable information (PII).

The data breach was discovered on April 16, 2020. In a letter to the Attorney General's Office of Vermont, made public on April 29, the rail service said that an unknown third party managed to fraudulently access Amtrak Guest Rewards accounts. 

The Amtrak Guest Rewards service allows passengers to rack up points when they travel to exchange for discounts, hotels, and gift cards, among other offerings.

See also: This is the impact of a data breach on enterprise share prices

The attack vector involved was compromised usernames and passwords, which may suggest the use of credentials previously leaked or stolen, or the use of brute-force methods. 

Amtrak says that some personal information was viewable, although the company has not specifically said what data may have been compromised. However, Amtrak was keen to emphasize that Social Security numbers, credit card information, and other financial data was not involved in the data leak. 

Users that receive a notice that their Amtrak Guest Rewards account was potentially included in the breach will also note that their accounts will have an active, forced password reset.

The company's security team said that after detecting suspicious activity, access was revoked "within a few hours."

In a statement, Amtrak said the firm is "[taking] this matter very seriously and is taking steps to help prevent incidents like this from happening again."

CNET: The Anonymous Minneapolis 'hack' comes from old breaches repackaged in misinformation

External cybersecurity professionals have been engaged to investigate the issue -- alongside law enforcement -- and Amtrak is working on bolstering its security posture.

Amtrak says there is no evidence, at present, that customer information has been exploited, such as through sales or identity fraud. Affected customers are being offered one year of free Experian credit monitoring. 

Travel is an industry that attracts cyberattackers due to the valuable customer information organizations collect, process, and store.

TechRepublic: Life after lockdown: Your office job will never be the same--here's what to expect

In March, the Marriott hotel chain disclosed a security incident in which an attacker was able to access data belonging to roughly 5.2 million customers, and two months later, easyJet said that the PII of up to nine million customers may have been stolen -- including several thousand credit card records. 

The consequences of a data breach can be expensive -- and not just in terms of damage mitigation, investigations, and regulator fines. Lawsuits launched on behalf of customers for compensation are common, as in the case of easyJet, which is now facing an £18 billion ($22bn) class-action lawsuit. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards