Amtrak, officially known as The National Railroad Passenger Corporation, has revealed that some of its Guest Rewards members have had their personal information compromised by a third-party hacker.
The for-profit company is a state-backed US passenger railroad provider that operates across 46 states, and 3 Canadian provinces, running more than 300 trains daily and accumulating 30 million customers since 2011.
On April 16, 2020, it was disclosed in a regulatory filing with the Office of the Vermont Attorney General that, “an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts.” Though the report ensured that financial data, credit card information and Social Security numbers were not compromised, “usernames and passwords were used to access certain accounts and some personal information may have been viewed.”
Since then, Amtrak’s security team claim to have blocked the unauthorised third-party from gaining access to the impacted accounts within just a few hours of being alerted to the suspicious activity as well as resetting all compromised passwords and log-ins. It is unknown how many customers have had their information stolen, but Amtrak reports that those effected have been offered a free one-year membership of Experian’s IdentityWorks identity theft protection service as well as implementing third-party security experts to prevent future information breaches.
However, this is not the first time that Amtrak has suffered a security breach. In 2014, it was reported by Amtrak’s Office of the Inspector General, that a former employee had been selling passenger information and name reservation identification to U.S. Drug Enforcement Administration (DEA) agents since 1995, receiving a total of $850,000 for the information over the course of the years. This raised serious questions about what kind of internal control and audit were in place and what security measures the company had implemented to prevent cyber-attacks from the inside.
In 2019, Amtrak’s iOS application was criticised after it was revealed that two API endpoints did not enforce authentication. If exploited, researchers argued that at least 6 million guest reward members’ sensitive data could be stolen.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.