Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Amtrak Discloses Security Incident Involving Guest Reward Accounts

U.S. passenger railroad service Amtrak last week started informing some customers that their personal information may have been compromised as a result of unauthorized access to Guest Reward accounts.

U.S. passenger railroad service Amtrak last week started informing some customers that their personal information may have been compromised as a result of unauthorized access to Guest Reward accounts.

A data breach notice shared by Amtrak with authorities reveals that the incident was discovered on April 16. The company determined that hackers gained access to some customers’ Guest Reward accounts using compromised usernames and passwords, which likely means that the attackers relied on the fact that many users have set the same username and password combination for multiple online accounts and their credentials were stolen in a previous breach.

Amtrak pointed out that social security numbers, payment card information or other financial data were not compromised as a result of the incident.

Amtrak Guest Reward accounts can store information such as name, email address, phone number, billing address, mailing address, coupons, and trip data. The account also allows users to transfer reward points to other accounts.

The organization said its security team terminated the unauthorized access within hours and an external cybersecurity firm was called in to confirm that the incident was contained.

In response to the breach, Amtrak has reset the passwords of affected accounts and says it’s taking steps to prevent such incidents in the future. Impacted customers are being offered one year of free identity protection services from Experian.

It’s unclear how many customers have been impacted. SecurityWeek has reached out to Amtrak for additional details and will update this article if the company responds.

This is not the first time Amtrak has sent a data breach notice to customers and U.S. authorities. Back in 2018, the company informed customers that they may have been impacted by a breach suffered by travel website Orbitz.

Related: Railroad Construction Firm RailWorks Falls Victim to Ransomware

Related: New Marriott Data Breach Impacts Up to 5.2 Million Guests

Related: GoDaddy Notifies Customers of Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.