Amtrak has suffered a data breach, with customer information stolen from its rewards program.

News of the data breach came via a filing Friday from Amtrak with the state of Vermont. It described the breach as involving as an unknown third-party gaining unauthorized access to certain Guest Rewards accounts. Personally identifiable information was accessed, but financial data, credit card information and Social Security numbers were not compromised.

Amtrak said the data breach involved compromised usernames and passwords, suggesting that those behind the attack may have used account credentials stolen from another site, since users often reuse passwords across different services.

The corporation added that it had fixed the issue, reset passwords for potentially affected accounts, hired outside cybersecurity experts to implement additional safeguards and informed law enforcement. Affected customers are also being offered a complimentary one-year membership of Experian IdentityWorks, a credit monitoring program.

The number of accounts compromised was not disclosed.

“Amtrak’s breached Guest Rewards usernames and passwords have already been used by fraudsters to access accounts and view personal information,” Robert Prigge, chief executive officer of identity verification company Jumio Corp., told SiliconANGLE. “It’s clear these traditional authentication methods can’t be trusted to keep accounts secure, as cybercriminals can easily log in with stolen passwords and there’s no way to confirm the legitimate user is the one accessing the account.”

Prigge added that Amtrak’s response isn’t enough to keep the user accounts safe. “Fraudsters can easily use the original password to access other user accounts, including banking, insurance, social media and more, where they can transfer funds, change passwords to lock the real user out and even use found personal information to commit identity theft,” he said. “As train and air travel will likely increase when COVID-19 restrictions are lifted, the travel industry is a growing target for fraud. It’s time for travel organizations to adopt stronger forms of authentication to keep their customer accounts secure.”

Photo: Vmenkov/Wikimedia Commons