Amtrak User Account Breach Highlights the Importance of Robust Authentication Systems
Amtrak submitted a breach disclosure notification to the Massachusetts Attorney General outlining a recent cyber incident its customers suffered. The incident, which allowed the attacker to access personal and financial information, exposed users to further identity and credit fraud. Learn more about the incident.
- National Railroad Passenger Corporation, popularly known as Amtrak, alerted users and the government of a breach of its customer accounts.
- The incident, which allowed the attacker to access personal and financial information, exposed users to further identity and credit fraud.
Amtrak submitted a breach disclosure notification to the Massachusetts Attorney General outlining a recent cyber incident its customers suffered. According to the notice, which was also delivered to impacted customers, an unknown threat actor gained access to the Amtrak Guest Rewards account.
The company implied that the unauthorized party gained access through credential stuffing between May 15 and May 18, 2024. “We believe that the unauthorized party may have obtained your login credentials from third-party sources,” Amtrak said.
It is unclear where the credentials were obtained, but they were likely leaked in previous data breaches on other platforms where the users had similar usernames/emails and passwords. Other attack vectors include phishing.
As such, no Amtrak systems were compromised. However, the threat actors did access the names, contact information, Amtrak Guest Rewards account number, dates of birth, payment details (partial credit card numbers and expiration dates), gift card information (card number, PIN), and transactions with Amtrak. The attackers may also have changed the email address associated with users’ accounts, thus locking them out.
“Threat actors have realized the high rewards of stealing from travel loyalty programs, which can easily be sold on the dark web or converted to tickets that they later sell. It’s a reality that’s particularly tough on travelers, who have worked for months, or even years, to accumulate loyalty points and status through regular trips,” Stuart Wells, CTO at Jumio, told Spiceworks News & Insights.
“Customers who are less frequent travelers may not notice their points disappearing for a long time. Additionally, scammers can leverage exposed information to carry out additional fraud attempts, such as opening new accounts, leading to complex and time-consuming resolution processes once the fraudulent activity is discovered.”
See More: Ticketmaster Breach Exposes 590M Users as Data Surfaces on BreachForums
In response, the passenger rail carrier changed users’ Amtrak Guest Rewards email address to the original and initiated a password reset across accounts. Amtrak advised users to stay alert of fraudulent activity by reviewing account statements regularly and placing a fraud alert on the credit file.
“As cyber threats evolve, businesses must adopt advanced verification technologies to enhance the protection of sensitive user data. Implementing a robust identity verification system is crucial to effectively combat fraud in all forms,” Wells added.
“Utilizing biometric verification methods ensures that illegitimate users and hackers are hindered before causing further harm, as they would need more than just credentials to gain access. This approach protects consumers from having their personal details disclosed from compromised accounts and provides a very effective solution to combat fraud.”
