U.S. passenger railroad service Amtrak last week started informing some customers that their personal information may have been compromised as a result of unauthorized access to Guest Reward accounts.
A data breach notice shared by Amtrak with authorities reveals that the incident was discovered on April 16. The company determined that hackers gained access to some customers’ Guest Reward accounts using compromised usernames and passwords, which likely means that the attackers relied on the fact that many users have set the same username and password combination for multiple online accounts and their credentials were stolen in a previous breach.
Amtrak pointed out that social security numbers, payment card information or other financial data were not compromised as a result of the incident.
Amtrak Guest Reward accounts can store information such as name, email address, phone number, billing address, mailing address, coupons, and trip data. The account also allows users to transfer reward points to other accounts.
The organization said its security team terminated the unauthorized access within hours and an external cybersecurity firm was called in to confirm that the incident was contained.
In response to the breach, Amtrak has reset the passwords of affected accounts and says it’s taking steps to prevent such incidents in the future. Impacted customers are being offered one year of free identity protection services from Experian.
It’s unclear how many customers have been impacted. SecurityWeek has reached out to Amtrak for additional details and will update this article if the company responds.
This is not the first time Amtrak has sent a data breach notice to customers and U.S. authorities. Back in 2018, the company informed customers that they may have been impacted by a breach suffered by travel website Orbitz.