Headline
Hackers Derail Amtrak Guest Rewards Accounts in Breach
The US passenger rail giant said attackers used previously compromised credentials to crack accounts and access a freight train of personal data.
Source: Peter Titmuss via Alamy Stock Photo
Amtrak has disclosed a data breach affecting train travelers’ Guest Rewards accounts.
In a breach-disclosure notice filed with the state of Massachusetts, the national passenger rail service noted that an unknown third party gained unauthorized access to users’ account information during the time period of May 15-18.
The transport giant determined that compromised usernames and passwords from prior breaches were likely used to access certain accounts, and stressed in the breach notice that there was no hack of Amtrak systems.
Even so, the information that the threat actor accessed includes a social engineering bonanza of data, including “name, contact information, Amtrak Guest Rewards account number, date of birth, payment details (such as partial credit card number and expiration date), gift card information (such as card number and PIN) and/or information about your transactions and trips.”
In some cases, the hackers took over accounts and changed emails and passwords to lock legitimate users out. Amtrak was able to nip that in the bud, though: “We have changed the email address for your Amtrak Guest Rewards account back to your email address and initiated a reset of your account password.”
Amtrak didn’t elaborate on how many rail aficionados are affected, but urged riders to rotate their passwords and implement multifactor authentication to prevent account access and takeovers.
“Threat actors have realized the high rewards of stealing from travel loyalty programs, which can easily be sold on the Dark Web or converted to tickets that they later sell,” said Stuart Wells, Jumio CTO, in an emailed statement shared with media. “It’s a reality that’s particularly tough on travelers who have worked for months, or even years, to accumulate loyalty points and status through regular trips. Customers who are less frequent travelers may not notice their points disappearing for a long time.”
Multiple Cyber Incidents for Amtrak Customers
This isn’t the first time the data breach engine has left the Amtrak station. In 2020, it disclosed a Guest Rewards breach in which “some personal information may have been viewed,” according to the notification, where the threat actor was noticed and booted out of the system “within a few hours.”
Jumio’s Wells noted that, given the weaknesses known to be present in most mainstream MFA techniques, businesses could go further to protect consumer accounts.
“As cyber threats evolve, businesses must adopt advanced verification technologies to enhance the protection of sensitive user data. Implementing a robust identity verification system is crucial to effectively combat fraud in all forms,” he said.
For instance, “utilizing biometric verification methods ensures that illegitimate users and hackers are hindered before causing further harm, as they would need more than just credentials to gain access. This approach protects consumers from having their personal details disclosed from compromised accounts and provides a very effective solution to combat fraud.”
About the Author(s)
Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.