Eurostar attack reminds us of the weakness of email address usernames

Following news of hacking attempts suffered by Eurostar, Dr Guy Bunker, SVP of products at data security firm, Clearswift, describes how similar attacks take place and measures users can take to protect themselves.

News emerged last week of Eurostar’s decision to reset customer login details after the firm flagged up attempts to access a series of user accounts.

A “small number of IP addresses” were linked to attacks which took place between 15th and 19th of October, but it is not yet known if attack origins have been traced.

The owners of the targeted accounts were notified, while other travellers have been asked to change their login credentials. The rail service did not confirm whether or not the attacks were successful, but did say that payment details were untouched.

A spokesperson for Eurostar told the BBC:

“We believe this to be an unauthorised automated attempt to access customer accounts. As a result, we blocked access and asked customers to reset their passwords as a precautionary measure.

“We deliberately never store any bank card information, so there is no possibility of compromise to credit card or payment details.”

The Information Commissioner’s Office was informed of the incident through a data breach report, an ICO spokeswoman said.

Dr Guy Bunker, SVP of Products, Clearswift, comments on the Eurostar hack attack:

“With the commercialisation of cyber-attacks, the opportunity for more cyber-criminals to attack more sites increases. This is what we see at present as the latest attacks are going after the next set of organisations which hold critical data. We know any organisation is a potential target and this proves the case.

“On the plus side, Eurostar obviously have a number of security controls in place, including the obvious one of looking for failed login attempts. These days gathering the intelligence from systems and applications around ‘security events’ is not difficult, however, often interpreting them and carrying out an action in a timely manner is an issue – not in this case.

“Whenever there is a new set of usernames/passwords leaked on the dark web there is often a sudden increase in brute force attacks such as this – trying the details which has been exposed against other websites. If this can be correlated to another set of leaked data, then there is a good opportunity for a cyber-attacker to breach a system. Of course, a failed attempt is easier to recognise than a successful first attempt by an attacker – the challenge then becomes whether this was the attacker or the actual person. In this case, correlating the times of both failed and successful attempts are required.

“Good security relies upon multiple factors, and for individuals who use services like Eurostar there is a need to ensure they have unique passwords, such that if one site is compromised, then others won’t follow as a matter of course.

“Eurostar as with many others use the users email as the username – meaning that can be readily guessed, but also will be used on other sites. Having different usernames for different sites along with different passwords can be seen as inconvenient, but when it comes to safeguarding your personal information it is undoubtedly worthwhile.”


The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.

Pre-registration for DPWF 2019 will be opening in the coming weeks.

https://www.dataprotectionworldforum.com/