The National Railroad Passenger Corporation (Amtrak) disclosed a data breach that led to the exposure of personal information of some Guest Rewards members.
Amtrak, a high-speed intercity passenger rail provider and an independent US government agency, operates a nationwide rail network in 46 states, the District of Columbia, and three Canadian provinces, with 30 million customers during the last nine years.
It also has over 20,000 and it operates more than 300 trains every day to over 500 destinations, with a revenue of $3.5 billion in the fiscal year 2019.
Account passwords reset
“On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts,” Amtrak Guest Rewards Senior Director Vicky Radke says in a notice of data breach filed with the Office of the Vermont Attorney General.
“We have determined that compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed.”
As the breach notification letter also explains, no financial data, credit card info, or Social Security numbers were compromised during this incident.
The company’s security team blocked the unauthorized third party from accessing the compromised Amtrak Guest Rewards accounts within a few hours after detecting suspicious activity.
Amtrak didn’t disclose the total number of accounts impacted by the breach or the type of personal information potentially exposed but did reset the passwords on all potentially affected Guest Rewards accounts.
BleepingComputer has reached out to Amtrak for more details but had not heard back at the time of this publication.
The intercity rail passenger service also hired third-party security experts to implement safeguards designed to protect its customers from future breach attempts and to confirm that the incident was contained.
Customers impacted by the Amtrak Guest Rewards data breach were also offered a free one-year membership of Experian’s IdentityWorks identity theft protection service.
Previous Amtrak security incidents and issues
According to a report published by Amtrak’s Office of the Inspector General in 2014, an Amtrak employee sold confidential passenger name reservation identification to U.S. Drug Enforcement Administration (DEA) agents for almost two decades for $850,000, starting 1995.
This information would’ve been freely available to the DEA as part of joint drug enforcement task force with the Amtrak Police Department (APD).
In May 2018, Amtrak issued another notice of data breach after Orbitz, one of its service providers, was breached between October 1, 2017, and December 22, 2017.
This led to the potential exposure of customers’ personal info such as full name, payment card data, date of birth, phone number, email address, physical and/or billing address, and gender.
Offensive security testing firm Bishop Fox found critical API vulnerabilities affecting Amtrak’s iOS application last year, estimating that attackers that would’ve exploited the flaws could’ve breached at least 6 million Amtrak Guest Rewards members.
Successful attacks targeting Amtrak’s iOS app would’ve exposed Personally Identifiable Information (PII) including full names, addresses, and phone numbers, as well as partial payment data.