Amtrak, the national rail service for the US, has suffered a data breach that may have exposed some customers’ logins and other personally identifiable information (PII), the service has disclosed.
The state-backed transportation company, which is also known as the National Railroad Passenger Corporation, says that a third party got unauthorized access to some Amtrak Guest Rewards accounts on the evening of 16 April. The rewards program enables customers to earn points – by spending on travel, hotels, car rentals and more – that they can then apply to Amtrak purchases.
Amtrak revealed the breach on Friday in a regulatory filing – namely, a sample letter to consumers about the breach – with the Office of the Vermont Attorney General.
The service said that it determined that the intruder used compromised usernames and passwords to access some reward accounts and that they may have also viewed customers’ personal information. However, the attacker didn’t access financial data, be it credit card information or Social Security taxpayer IDs.
Amtrak said that its security team immediately investigated the issue, stitching up the hole and blocking the unauthorized access within a few hours. Its security team also reset passwords on potentially affected accounts and pulled in outside cybersecurity expertise in order to ensure that the incident was in fact contained. Amtrak says it also implemented “additional safeguards to protect customers,” but it didn’t give any detail on what its new safeguards are.
To help protect customers from identity theft, Amtrak is offering consumers a free year of fraud monitoring from Experian. That’s all well and good, but do note that such a service only flags suspicious activity after it happens, not before.
Nor do such monitoring services work to prevent phishing attempts that exploit any PII attackers get their hands on. This should be of particular concern to the organizations whose employees travel via Amtrak: as of October 2018, phishing was cited as the most commonly used method in attacks, according to organizations surveyed for IDG’s 2018 US State of Cybercrime report.
Amtrak says that it hasn’t yet seen any indication of customers’ PII having been misused, but advised consumers to keep an eye out for fraud and ID theft by regularly reviewing their financial statements.
We don’t know how the attacker got hold of Amtrak Guest Reward usernames and passwords. It’s quite possible that Amtrak wasn’t breached itself but that its customers reused their logins across multiple sites/services/accounts, one or more of which may have been breached. Lists of breached credentials are regularly listed for sale on the dark web. After a crook hacks them or buys them, the credentials can then be plugged into automated spray-and-pray attack tools: a way to quickly plug logins into wherever else they might gain access, be it social media accounts or your bank account.
We’ve said it before, and we’ll keep saying it: password reuse is truly a bad idea!
Naked Security
Amtrak breached, some customers’ logins and PII potentially exposed
The US rail service hasn't disclosed the number of passengers affected in a 16 April breach.
Tom
Not trying to read between the lines here, but was there an issue with the passwords that the attacker was able to reverse the passwords and use them? (i.e., Salt & Pepper, In plaintext)
Paul Ducklin
There’s nothing in the Amtrak data breach letter about how the crooks got hold of the compromised usernames and passwords used to login to affected accounts. For all we know the passwords could have been scraped out of memory during legitimate logins, and then used again later. (I’m not suggesting that as an exoneration, of course… just recognising that passwords can be acquired without ever acquiring a copy of the authentication database, hashed and salted or not.)
Ian
“a free year of fraud monitoring from Experian” oh how lucky these people are. All of their problems are sure to be solved now.