[BreachExchange] Amtrak resets user passwords after Guest Rewards data breach

Destry Winant destry at riskbasedsecurity.com
Mon Jun 1 10:37:48 EDT 2020


The National Railroad Passenger Corporation (Amtrak) disclosed a data
breach that led to the exposure of personal information of some Guest
Rewards members.

Amtrak, a high-speed intercity passenger rail provider and an
independent US government agency, operates a nationwide rail network
in 46 states, the District of Columbia, and three Canadian provinces,
with 30 million customers during the last nine years.

It also has over 20,000 and it operates more than 300 trains every day
to over 500 destinations, with a revenue of $3.5 billion in the fiscal
year 2019.

Account passwords reset

"On the evening of April 16, 2020, Amtrak determined that an unknown
third party gained unauthorized access to certain Amtrak Guest Rewards
accounts," Amtrak Guest Rewards Senior Director Vicky Radke says in a
notice of data breach filed with the Office of the Vermont Attorney

"We have determined that compromised usernames and passwords were used
to access certain accounts and some personal information may have been

As the breach notification letter also explains, no financial data,
credit card info, or Social Security numbers were compromised during
this incident.

The company's security team blocked the unauthorized third party from
accessing the compromised Amtrak Guest Rewards accounts within a few
hours after detecting suspicious activity.

Amtrak didn't disclose the total number of accounts impacted by the
breach or the type of personal information potentially exposed but did
reset the passwords on all potentially affected Guest Rewards

BleepingComputer has reached out to Amtrak for more details but had
not heard back at the time of this publication.

The intercity rail passenger service also hired third-party security
experts to implement safeguards designed to protect its customers from
future breach attempts and to confirm that the incident was contained.

Customers impacted by the Amtrak Guest Rewards data breach were also
offered a free one-year membership of Experian’s IdentityWorks
identity theft protection service.

Previous Amtrak security incidents and issues

According to a report published by Amtrak’s Office of the Inspector
General in 2014, an Amtrak employee sold confidential passenger name
reservation identification to U.S. Drug Enforcement Administration
(DEA) agents for almost two decades for $850,000, starting 1995.

This information would've been freely available to the DEA as part of
joint drug enforcement task force with the Amtrak Police Department

In May 2018, Amtrak issued another notice of data breach after Orbitz,
one of its service providers, was breached between October 1, 2017,
and December 22, 2017.

This led to the potential exposure of customers' personal info such as
full name, payment card data, date of birth, phone number, email
address, physical and/or billing address, and gender.

Offensive security testing firm Bishop Fox found critical API
vulnerabilities affecting Amtrak's iOS application last year,
estimating that attackers that would've exploited the flaws could've
breached at least 6 million Amtrak Guest Rewards members.

Successful attacks targeting Amtrak's iOS app would've exposed
Personally Identifiable Information (PII) including full names,
addresses, and phone numbers, as well as partial payment data.

More information about the BreachExchange mailing list