Amtrak Discloses Data Breach, Potential Leak of Guest Rewards Account Information

The National Railroad Passenger Corporation (Amtrak) has become the latest victim of a massive data breach, suggesting possible exposure of personal identifiable information of some of its customers.

In a Notice of Data Breach sent to the Attorney General’s Office of Vermont, the state-backed US transportation provider revealed that it had detected unauthorized access by a third party to certain Amtrak Guest Rewards accounts.

“On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts,” the notice wrote.

Amtrak Discloses Data Breach

According to the report, compromised usernames and passwords have been used to access certain accounts. To ZDNet, this might suggest the use of credentials that have been previously leaked in other incidents or the use of brute-force methods.

Amtrak, however, clarified that while the unauthorized access may have left some personal information accessible to attackers, no financial data, credit card information, or Social Security numbers were compromised.

“Amtrak takes this matter very seriously and is taking steps to help prevent incidents like this from happening again,” the transportation provider wrote.

According to them, after detecting suspicious activity, Amtrak’s IT security team were quick to investigate and terminate the unauthorized access “within a few hours.” In addition to this, the company also said it had reset the passwords for potentially impacted accounts, had reached out to outside cybersecurity experts, and employed additional security measures.

“To help protect your identity, we are offering a complimentary one-year membership of Experian’s® IdentityWorksSM at no charge to you. This product provides you with superior identity detection and resolution of identity theft,” Amtrak added.

The incident isn’t the first cybersecurity issue that has affected Amtrak. In 2018, the transportation provider revealed that its service provider, Orbitz, suffered from a security incident, which led to the exposure of some personal information of some of its customers.

“While we have no indication that your information was misused in any way, you should always remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring your free credit reports. If you discover any suspicious or unusual activity on your accounts or suspect identity theft or fraud, report it immediately to your financial institutions,” the notice advised.

The news marks the latest addition to the list of cyberattacks done against companies engaging in the travel industry.