Amtrak data breach may have disclosed customer data

The railroad service Amtrak claims that user account data might have been breached

Amtrak data breach

Amtrak data breach

A security incident was reported by the National Railroad Passenger Corporation, also known as Amtrak. The rail service provider suffered a data breach after an unauthorized party managed to breach into the servers and access some Amtrak Guest Rewards accounts.

The incident was first spotted on April 16, 2020, and the letter was sent to the Attorney General’s Office of Vermont on April 29, in which it is claimed that Amtrak suffered a security breach. According to the letter, the incident occurred due to compromised usernames and passwords, which were most likely used in a brute-force attack.[1] Additionally, the credentials could also have been acquired by the attackers in previous data breaches or bought via the underground hacking forums.

Vicky Radke, the Senior Director of Guest Rewards at Amtrak, said the following in the letter:[2]

Amtrak promptly fixed the issue and is cooperating with federal law enforcement. While I am glad the issues is now resolved, I sincerely apologize for any concern and inconvenience it could cause.

No indication of data misuse, Amtrak says

Guest Rewards is a program established by Amtrak, which enables customers to pile up points while traveling and then use them for various free benefits and discounts for travel, car rentals, hotel stays, and much more. To be eligible for the service, users need to register an account on a specially crafted web page on the official site.

To register for the Guest Rewards, users need to provide several details, such as first name, last name, email address, and choose the country of origin. Finally, they also need to choose a password that they can later use to login to their accounts.[3]

It is perceived that this precise data was accessed during a security incident, although the company claimed that no sensitive details were included (Social Security Numbers and credit card data). Despite that the breach occurred, no data compromise indicators were observed by Amtrak.

Despite this, users might easily be targets of phishing attacks directed on particular customers. Since malicious actors got a hold on personal data such as names, usernames, and passwords, this data can be used to compile a convincing email and sent it to particular users.

As a result, customers might be directed to third-party, spoofing,[4] malware-laden, and similar dangerous websites. Besides, the technique can also be used to extract even more sensitive details from victims, such as credit card information, SSN, etc.

Amtrak is providing free identity protection service at Experian

It is currently unknown how many users were affected by the data breach, as Amtrak did not disclose such information. Nonetheless, the company is contacting each of the impacted users individually.

Even though no sensitive details like credit card information were accessed during the breach, Amtrak is offering one year’s membership of Experian’s IdentityWorks service at no cost:

To help protect your identity, we are offering a complimentary one-year membership of Experian’s IdentityWorks at no charge to you. This product provides you with superior identity detection ad resolution of identity theft.

The impacted individuals received a unique activation code that must be used before the end of 8/31/2020. Users are also provided with a special customer phone number in case they have any questions about the IdentityWorks program. For more security measures, Amtrak prompted mandatory password resets to all the affected users.

Customers who were impacted by the breach should expect to receive targeted phishing emails, which might look like those from Amtrak, so they need to be vigilant not to get tricked by bad actors. The railroad service provider also said that users should monitor their online banking and credit reports for potential compromise indicators.

This is not the first data breach that occurred at Amtrak. In 2014, the company found out that one of the employees was selling customer data for 20 years.[5]