Amtrak Data Breach: Expert Commentary

By   ISBuzz Team
Writer , Information Security Buzz | Jun 02, 2020 02:49 am PST

Amtrak, the public transportation unit, announced that it suffered a data breach causing Amtrak to reset user passwords after the Guest Rewards data breach. The data obtained from this breach of consumer’s personal information.

Subscribe
Notify of
guest
3 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Sam Curry
Sam Curry , Chief Security Officer
June 3, 2020 10:27 am

In the old days we used to say that “loose lips sink ships,” but in this day and age “a loose click kills quick” – and while details regarding Amtrak\’s reported breach are still being made public, only time will tell how many passengers are impacted by having their PII stolen. Amtrak is undoubtedly suffering in the current COVID-19 pandemic from a near halt of business and personal travel across the U.S. and this particular breach, while extremely painful for the company and its impacted customers, will strengthen Amtrak\’s resolve and help them improve their security defences.

From what I am reading, Amtrak has been proactive in its notification approach. Perhaps the negative headlines and fallout from this newest breach disclosure will also be a wake up call to other track operators and the entire rail system in this country to assess their current security hygiene and to make sure their security analysts have the tools to identify malicious and abnormal looking behaviour immediately, giving them a chance to assess risk and then remediate any incidents. My advice to Amtrak\’s passengers is to pay close attention to their rewards statements, to monitor activity on a regular basis and if anything looks suspicious and out of the ordinary to call either their credit card company or Amtrak. And update their passwords regularly and never, ever use combinations such as \’123456\’, \’password\’ or other common combinations.

Last edited 3 years ago by Sam Curry
Jason Kent
Jason Kent , Hacker in Residence
June 3, 2020 10:19 am

We\’ve watched credential stuffing attacks escalate over the past few months, and sympathize with the impacted organizations who have to work to respond and reposition their platforms as \’secure and private.\’ While end-users certainly have a role to play in securing their accounts with strong passwords and multi-factor authentication, we believe that organizations also need to take a close look at the risk profile of their APIs to ensure that they are not an easy and attractive target for hackers. These API-centric attacks will only continue to escalate as long as insecure endpoints are easily discovered, analyzed, and abused.

Last edited 3 years ago by Jason Kent
Robert Prigge
June 2, 2020 10:53 am

Amtrak\’s breached Guest Rewards usernames and passwords have already been used by fraudsters to access accounts and view personal information. It\’s clear these traditional authentication methods can\’t be trusted to keep accounts secure, as cybercriminals can easily log in with stolen passwords, and there\’s no way to confirm the legitimate user is the one accessing the account. Amtrak\’s response to reset passwords and provide complimentary identity theft protection services is simply not enough to keep their 30 million user accounts safe. Fraudsters can easily use the original password to access other user accounts, including banking, insurance, social media and more, where they can transfer funds, change passwords to lock the real user out and even use found personal information to commit identity theft. As train and air travel will likely increase when COVID-19 restrictions are lifted, the travel industry is a growing target for fraud. It\’s time for travel organizations to adopt stronger forms of authentication to keep their customer accounts secure. Biometric authentication (leveraging a user’s unique biological traits to verify identity) ensures only authorized users can access accounts.

Last edited 3 years ago by Robert Prigge

Recent Posts

3
0
Would love your thoughts, please comment.x
()
x