The National Railroad Passenger Corporation (Amtrak) has disclosed a data breach that may have resulted in the compromise of customer personally identifiable information (PII).
The data breach was discovered on April 16, 2020. In a letter to the Attorney General's Office of Vermont, made public on April 29, the rail service said that an unknown third party managed to fraudulently access Amtrak Guest Rewards accounts.
The Amtrak Guest Rewards service allows passengers to rack up points when they travel to exchange for discounts, hotels, and gift cards, among other offerings.
The attack vector involved was compromised usernames and passwords, which may suggest the use of credentials previously leaked or stolen, or the use of brute-force methods.
Amtrak says that some personal information was viewable, although the company has not specifically said what data may have been compromised. However, Amtrak was keen to emphasize that Social Security numbers, credit card information, and other financial data was not involved in the data leak.
Users that receive a notice that their Amtrak Guest Rewards account was potentially included in the breach will also note that their accounts will have an active, forced password reset.
The company's security team said that after detecting suspicious activity, access was revoked "within a few hours."
In a statement, Amtrak said the firm is "[taking] this matter very seriously and is taking steps to help prevent incidents like this from happening again."
External cybersecurity professionals have been engaged to investigate the issue -- alongside law enforcement -- and Amtrak is working on bolstering its security posture.
Amtrak says there is no evidence, at present, that customer information has been exploited, such as through sales or identity fraud. Affected customers are being offered one year of free Experian credit monitoring.
Travel is an industry that attracts cyberattackers due to the valuable customer information organizations collect, process, and store.
In March, the Marriott hotel chain disclosed a security incident in which an attacker was able to access data belonging to roughly 5.2 million customers, and two months later, easyJet said that the PII of up to nine million customers may have been stolen -- including several thousand credit card records.
The consequences of a data breach can be expensive -- and not just in terms of damage mitigation, investigations, and regulator fines. Lawsuits launched on behalf of customers for compensation are common, as in the case of easyJet, which is now facing an £18 billion ($22bn) class-action lawsuit.
Previous and related coverage
- Japan investigates potential leak of prototype missile data in Mitsubishi hack
- Investors sue LabCorp over security failures in light of data breach, ransomware attack
- Marriott discloses new data breach impacting 5.2 million hotel guests
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0