The National Railroad Passenger Corporation is notifying customers of a data breach affecting their Amtrak Guest Rewards accounts.
Operating as Amtrak, the rail service giant filed a data breach notification with the Office of the Massachusetts Attorney General on June 14, saying it learned of unauthorized access on May 15, 2024.
However, Amtrak believes the threat actor gained access between May 15, 2024, and May 18, 2024.
In response, the Washington, D.C.-based transport company reset users’ accounts to dislodge the threat actor and launched an investigation to determine the scope of the cybersecurity incident.
Amtrak Guest Rewards accounts data breach blamed on credential stuffing
Amtrak’s assessment determined that the attackers used legitimate login credentials obtained from third-party sources to gain access. However, no Amtrak information systems were breached during the credential stuffing attack.
“We believe that the unauthorized party may have obtained your login credentials from third-party sources,” Amtrak said, adding that there was no indication that “your login credentials were obtained from our systems.”
According to breach notices sent to impacted customers, Amtrak disclosed that the unauthorized party changed the Guest Rewards account’s primary email address in a complete takeover attempt.
Additionally, they obtained personal information, including names, contact information, Amtrak Guest Rewards account numbers, and dates of birth.
Similarly, limited payment details, such as partial credit card numbers and expiration dates, gift card information, including card number and PIN, and other transactional information, were compromised during the attack.
So far, Amtrak has no evidence that the threat actor has misused the stolen customer information. The stolen data is invaluable for fraud and targeted phishing attacks and can be easily monetized in underground cybercrime marketplaces.
“Threat actors have realized the high rewards of stealing from travel loyalty programs, which can easily be sold on the dark web or converted to tickets that they later sell,” said Stuart Wells, Jumio CTO. “Customers who are less frequent travelers may not notice their points disappearing for a long time. Additionally, scammers can leverage exposed information to carry out additional fraud attempts, such as opening new accounts, leading to complex and time-consuming resolution processes once the fraudulent activity is discovered.”
Customers advised to be vigilant of suspicious activities
Meanwhile, the rail service operator is offering 12 months of complimentary identity theft protection services with Experian IdentityWorks to protect the impacted customers from fraud.
Additionally, the railroad company advised customers to remain vigilant by monitoring their financial and credit statements and reporting any suspicious activity. They should also reset other online accounts that use similar usernames and passwords to prevent further credential-stuffing attacks.
Similarly, impacted customers should secure their Amtrak Guest Rewards accounts with a “unique password that is not easy to guess or used for other accounts,” the company said.
Google Cloud’s 2023 Threat Horizons Report found that 86% of data breaches stemmed from compromised credentials, underscoring the importance of an additional layer of security like multi-factor authentication.
Amtrak says it has enabled two-factor authentication (2FA) via email or text to prevent unauthorized parties from accessing customers’ accounts using compromised passwords.
“As a precaution to improve your account security and prevent unauthorized account access, Amtrak has enabled multifactor authentication on your Amtrak Guest Rewards account,” the company said.
The transport giant has also implemented additional internal security measures to prevent a similar security incident in the future.
Nevertheless, Amtrak has either withheld or is yet to determine the exact number of customers impacted by the data breach. However, with over 28 million passengers transported by the National Railroad Passenger Corporation in 2023 the extent of the Amtrak Guest Rewards accounts data breach could be substantial.
Guest Rewards accounts breached in the past
The May 2024 Amtrak data breach is hardly the first in which attackers leveraged compromised login credentials to breach the company’s Guest Rewards accounts.
In April 2020, Amtrak disclosed a data breach after “an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts,” also using “compromised usernames and passwords.” However, the 2020 Guest Rewards accounts breach did not expose “financial data, credit card information or Social Security numbers.”
Seemingly, Amtrak also failed to require two-factor authentication after hackers compromised user accounts using stolen passwords in 2020, a major oversight, according to Wells.
“As cyber threats evolve, businesses must adopt advanced verification technologies to enhance the protection of sensitive user data,” Wells added. “Implementing a robust identity verification system is crucial to effectively combat fraud in all forms. Utilizing biometric verification methods ensures that illegitimate users and hackers are hindered before causing further harm, as they would need more than just credentials to gain access.”