Customers' Personal Information Might Have Been Exposed in an Amtrak Data Breach

Amtrak Data Breach

Last week, The National Railroad Passenger Corporation or Amtrak, as it's better known, filed a data breach notification with the Office of the Vermont Attorney General, and it also started sending it to some of its customers. It says that in April, an unknown cybercriminal (or cybercriminals) managed to access some Amtrak accounts.

What we know

The attack was first detected on the evening of April 16, when Amtrak's IT team noticed that "a third party" had gained unauthorized access to accounts owned by travelers participating in Amtrak's Guest Rewards program. Once they were inside, the criminals were able to view the account owners' personal information. The notification points out that the potentially compromised information doesn't include any financial data or Social Security Numbers.

Within a few hours, Amtrak kicked off the intruders and began an investigation, which revealed that the attackers used compromised login credentials to break in. A password reset was forced for every single one of the affected accounts, and outside cybersecurity experts were called in to confirm that the breach has been closed. Although the nature of the potentially compromised data doesn't appear to be especially sensitive, affected customers can enroll for a one-year membership of Experian's IdentityWorks fraud protection service completely free of charge. The breach notification is accompanied by instructions on what users need to do to take advantage of the fraud protection service as well as tips on how they can protect themselves from identity theft.

On the face of it, Amtrak appears to be taking the incident seriously, and although it came more than a month after the railroad service learned about the attack, the disclosure seems to be transparent enough. When you look closer, however, you'll see that some pieces of the puzzle are still missing.

What we don't know

The exact nature of the potentially compromised information, for example, remains unknown. We do know that no credit card numbers were involved, but users still don't have a list of details that may have been accessed.

The number of affected customers is also a mystery. The investigation appears to be well and truly over, which means that Amtrak is either unaware of who was compromised exactly or is unwilling to publicly share this information. Whatever the case, not knowing how many people got hit means that it's difficult to determine the scale of the attack.

The most crucial bit of information that's missing from Amtrak's disclosure, however, is the source of the compromised login credentials. There are two options: the attackers either stole them from the railroad service itself, or they took them from a database leaked during an unrelated breach and used them to compromise accounts of people who reuse their passwords.

If the data was stolen from Amtrak, it would mean that at least up until mid-April, the company was not storing users' passwords correctly. On the other hand, if it turns out that the attackers used credential stuffing, then this would mean that Amtrak's users are the ones who are not following the best password security practices.

In the first scenario, there really isn't much you can do. Regardless of whether or not you are an Amtrak customer, however, you can (and must) make sure that you don't reuse the same password for more than one account. This is the easiest way of staying safe in the event of a credential stuffing attack.

By Duran
June 2, 2020
News
English
June 2, 2020
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

A Data Breach at the U.S. Marshals Service Revealed Prisoners' Personal Information

In the same way that law enforcement officers should be behavioral role models for regular citizens, law enforcement agencies should show both private and government organizations what to do and what not to do in... Read more

May 11, 2020
Malware

Macy's Customers Start Receiving Information on How to Protect Their Accounts After a Data Breach

Surveys suggest that according to users, businesses are responsible for protecting people's personal information and should take all the responsibility after they suffer a data breach. Sometimes, however, things... Read more

November 21, 2019
News

T-Mobile Data Breach Forces Customers to Change Their Passwords

Over the weekend, T-Mobile customers started receiving text messages that got them quite worried. Their telecommunication provider had suffered a data breach, which resulted in unauthorized access to customer... Read more

November 26, 2019
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.