Rail Europe Customer Data Breach

By   ISBuzz Team
Writer , Information Security Buzz | May 15, 2018 08:30 am PST

In response to news that the Danish railway company DSB was hit with a DDoS attack over the weekend that prevented passengers from purchasing tickets via app, website, ticket machine or at store kiosks, IT security experts commented below.

Paul Bischoff, Privacy Advocate at Comparitech.com:

“The breach at Rail Europe is disconcerting not only because of what information was accessed by hackers, but how that information was accessed. Data breaches typically occur when a hacker gains unauthorized access to a database. In this case, however, the hackers were able to affect the front end of the Rail Europe website with “skimming” malware, meaning customers gave payment and other information directly to the hackers through the website. While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe.

Credit card skimming usually refers to the practice of covertly running a person’s physical card through an additional magnetic strip scanner to steal the information off of it. These “skimmers” are often placed on top of existing hardware to make it look though the skimmer is part of the original ATM or point of payment. Rail Europe seems to have adapted that terminology to their own situation.

This also means all or nearly all of customers’ payment information was current and working, making it even more valuable. Rail Europe customers should keep an eye on their accounts for unauthorized activity and immediately change their passwords. Because email addresses and other personal information was leaked, they should also be on the lookout for targeted phishing scams in the months ahead.”

Anthony James, Chief Marketing Officer at Ciphercloud:

“Attackers installed software in Rail Europe point-of-sale systems and then watched the credit card data roll in. Point-of-sale (POS) and retail systems have been targeted worldwide for the past several years. POS systems are a great place to clandestinely obtain good, clean credit card data which can be immediately use or sold for high value on the dark web. All it takes is the right software and access through the perimeter to the financial network.

At the point of the transaction, many of the cards use the EMV chip and hence are pretty resilient to fraud. But all these attackers want to do is to intercept the numbers so they can use them in transactions where the chip doesn’t come into play. This includes internet transactions, mail order, and telephone orders.”

Ryan Wilk, Vice President of Customer Success at NuData Security:

“This is exactly why so many eCommerce entities, merchants, and financial institutions are turning to multi-layered solutions that incorporate passive biometrics and behavioral analytics. With these technologies, even when consumer information is stolen, the breached credentials cannot be used to log into someone else’s account to or to make a fraudulent transaction. With these multi-layered solutions, verification is derived from hundreds of indicators based on the user’s online behavior – not relying on a password, challenge questions or even their social security number. These behaviors cannot be mimicked by hackers, protecting customers and businesses from post-breach damage.

“Today’s news is a call to action for every entity handling customer payment data and other personally identifiable information.”

Patrick Hunter, Director at One Identity: 

“If we put aside the fact the fraud went undetected for 3 months, the questions still has to be asked:  How could a hacker get that malware onto the webserver in the first place?

A webserver isn’t like someone’s laptop where an employee, uneducated on cybersecurity, might just click on a link and unwittingly install the malware – although this maybe where the journey started.  The hackers had to get access to the webservers and then gain sufficient privilege in order to install their malware.  Rail Europe didn’t give any detail on the method of attack but it seems they suspect a hacker used an account with privileged rights as they have changed their passwords.

Either way, attacks like this are generally a chain of events.  The hacker has to gain access to the network or the webserver directly or via an exploit, then search around for the right accounts in order to get their software in place before finding a method to elevate to that account.  If companies used best practice with regards to passwords by regularly changing them, or even better locking them away so that no one actually knows them, then these situations can be avoided.  If you have to ask for the password for a particular server every time you wish to access it, and gain some form of permission via a workflow or use two-factor authentication, then it is significantly harder to gain those rights.

Right now, breaches like this are embarrassing at the very least but with the latest revision of GDPR less than two weeks away, organisations should be looking into these simple solutions to keep their stable doors locked.”

Andrew Lloyd, President at Corero Network Security:

“Keeping the control systems (e.g. railway signaling, power circuits and track movements) secure greatly reduces the risk of a catastrophic outcome that risks public safety.  That said, a successful attack on the more vulnerable management systems can cause widespread disruption.  This DDoS attack on Danish railways ticketing site can be added to a growing list of such cyber-attacks that include last October’s DDoS attack on the Swedish Railways that took out their train ordering system for 2 days resulting in travel chaos.

“The lessons are clear; transportation companies and other operators of essential services have to invest in proactive cyber-security defenses to ensure that their services can stay online and open for business during a cyber-attack.

“The DDoS attack seen in Denmark this weekend on critical national infrastructure is precisely the type of attack that EU Governments are seeking to protect citizens against with last week’s introduction of the The Network and Information Systems Directive (“NIS”), which defines the security of network and information systems standards that apply to operators of essential services including energy, transportation, health and public drinking water. NIS also defines eye-watering penalty for failure to “take appropriate and proportionate technical and organizational measures to manage risks posed to the security of the network and information systems on which their essential service depends”.

“With the implementation of the EU NIS Directive, the governments in all 28 EU member states now have a $24 million “big stick” to motivate operators to comply.”