Amtrak has revealed that some customers may have had their personal information and log-ins stolen after it detected unauthorized access of rewards accounts by a third party.
Also known as the National Railroad Passenger Corporation, the state-backed US transportation provider revealed the news in a regulatory filing with the Office of the Vermont Attorney General.
“On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts,” it noted. “We have determined that compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed. No financial data, credit card information or Social Security numbers were compromised.”
The statement claimed that Amtrak’s IT security team terminated the unauthorized access “within a few hours,” reset passwords for affected accounts and hired outside security experts to contain the incident and put safeguards in place.
The firm is also offering affected customers a free year’s membership for the Experian IdentityWorks fraud monitoring service, although such offerings only flag suspicious account activity after the event and won’t be able to stop the potential follow-on phishing attacks that could target users.
It’s unclear how the attacker got hold of Amtrak Guest Reward usernames and passwords in the first place, although the credentials may have been breached in another incident and were being reused by customers across multiple sites/accounts.
This isn’t the first time the railroad giant has been forced to alert the authorities about a suspected breach. In 2018, it revealed that service provider Orbitz had suffered a security incident exposing customers’ personal information.
A year later, critical vulnerabilities were discovered in the Amtrak mobile application which researchers said could lead to a data breach of at least six million Amtrak Guest Rewards accounts.
It’s unclear how many passengers were affected in the latest data breach incident.