U.S. passenger railroad service Amtrak last week started informing some customers that their personal information may have been compromised as a result of unauthorized access to Guest Reward accounts.
A data breach notice shared by Amtrak with authorities reveals that the incident was discovered on April 16. The company determined that hackers gained access to some customers’ Guest Reward accounts using compromised usernames and passwords, which likely means that the attackers relied on the fact that many users have set the same username and password combination for multiple online accounts and their credentials were stolen in a previous breach.
Amtrak pointed out that social security numbers, payment card information or other financial data were not compromised as a result of the incident.
Amtrak Guest Reward accounts can store information such as name, email address, phone number, billing address, mailing address, coupons, and trip data. The account also allows users to transfer reward points to other accounts.
The organization said its security team terminated the unauthorized access within hours and an external cybersecurity firm was called in to confirm that the incident was contained.
In response to the breach, Amtrak has reset the passwords of affected accounts and says it’s taking steps to prevent such incidents in the future. Impacted customers are being offered one year of free identity protection services from Experian.
It’s unclear how many customers have been impacted. SecurityWeek has reached out to Amtrak for additional details and will update this article if the company responds.
This is not the first time Amtrak has sent a data breach notice to customers and U.S. authorities. Back in 2018, the company informed customers that they may have been impacted by a breach suffered by travel website Orbitz.
Related: Railroad Construction Firm RailWorks Falls Victim to Ransomware
Related: New Marriott Data Breach Impacts Up to 5.2 Million Guests
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Latest News
- Minister: Cybercrimes Now 20% of Spain’s Registered Offenses
- Skybox Security Raises $50M, Hires New CEO
- Spies, Hackers, Informants: How China Snoops on the US
- Australian Man Sentenced for Scam Related to Optus Hack
- Chrome 110 Patches 15 Vulnerabilities
- Application Security Protection for the Masses
- Tor Network Under DDoS Pressure for 7 Months
- Siemens License Manager Vulnerabilities Allow ICS Hacking
