An anonymous hacker has raised the alarm after discovering a vulnerability impacting Switzerland’s national railway system.
The flaw allowed the hacker to gain access to personal data belonging to around 500,000 individuals who had purchased tickets to ride on Swiss Federal Railways (SFR).
After detecting a weak spot in SFR’s Swiss Card system, the hacker reported it to the Rundschau show, which airs on Swiss public television, SRF.
Information left vulnerable by the flaw included travelers’ names, dates of birth, the number of first- and second-class tickets they purchased, places of departure and final destinations.
Speaking to the Rundschau program, the hacker said that anyone could have easily viewed the data as no specialist IT knowledge was needed to exploit the flaw.
“The sensitive data was practically public on the internet,” said the hacker.
The security breach was reported to Switzerland’s Federal Data Protection Commissioner.
According to Swiss news site Swiss Info, the data compromised by the hacker was never made public and has since been secured by SFR.
The hacker said that their motivation in exploiting the flaw was to expose its existence in the hope of averting a potentially malicious cyber-attack.
“This is a huge meltdown for Swiss Railways,” Otto Hostettler, an author and journalist specializing in cybercrime, told the Rundschau program.
“Such data can be sold in hacker forums on the dark web. In the wrong hands, it would have great potential for abuse.”
Cyber-criminals have been known to target the Swiss rail industry. In May 2020, hackers stole data from Swiss train manufacturer Stadler Rail and demanded a payment of $6m in Bitcoin for its return.
Following the attack, Stadler released a statement saying that it “is not and has never been willing to make payments to blackmailers and has not entered into negotiations.”
In response to Stadler’s rebuff, the cyber-thieves published images of some of the stolen files on the internet. A message accompanying the images stated that the criminals had swiped no fewer than 10,000 documents from the train maker.
The company said it had backups of all the data compromised in the attack.