If you booked train tickets for a European getaway in the past few months, you might want to check your bank statements.
Rail Europe, a site used by Americans to buy train tickets in Europe, has revealed a three-month data breach of credit cards and debit cards.
The announcement came in a letter filed with the California attorney general, in which the company said hackers put credit card-skimming malware on its website between late-November 2017 and mid-February 2018.
The company said credit card numbers, expiration dates, and card verification codes were stolen -- everything needed by a fraudster to carry out unauthorized purchases. The hackers also stole name, gender, delivery and invoicing addresses, phone numbers, email addresses, and in some cases usernames and passwords of customers on the website.
Users should change their passwords. If the same username and password set is used on any other site, they should be changed, too.
Rail Europe said it "replaced and rebuilt" compromised systems from known-to-be safe code. Although the company didn't say how the hackers breached its systems to install the credit card-skimming code, the letter added that passwords were changed and certificates were renewed following the hack.
It's not known how many customers are affected. California data breach law mandates that any breach affecting more than 500 state residents has to publicly list the breach notification with the state attorney general's office.
When asked how many people are affected by the breach, a spokesperson for Rail Europe said: "We are not sharing that information at this time."
According to the company's website, the site had over five million customers last year.