 
A passenger railroad service announced that a data breach might have affected some passengers' personally identifiable information (PII).
 
In a "Notice of Data Breach" letter sent to the Attorney General's Office of Vermont, Amtrak revealed that it had discovered the data breach on April 16 2020. Amtrak looked into the matter and discovered that an unknown third party had gained unauthorized access to some Amtrak Guest Reward accounts. Those types of accounts allow passengers to build up points by riding with Amtrak so that they can ultimately claim rewards. Whoever was behind the data breach had abused compromised usernames and passwords to authenticate themselves on those Guest Reward accounts, Amtrak explained in its notice. In the process, those individuals might have viewed affected members' personal information. That data did not include passengers' Social Security Numbers (SSNs), payment card details or financial information, however. According to its statement, the passenger railroad service implemented several measures to respond to the breach and to prevent similar incidents from occurring in the future. As it explained in the letter:
After detecting suspicious activity, our security team immediately investigated the issue and terminated the unauthorized access within a few hours. We also reset the passwords for potentially affected accounts. Amtrak engaged outside cybersecurity experts to confirm that the incident was contained and implemented additional safeguards to protect customers.
Those affected by the data breach disclosed by Amtrak should consider availing themselves of the complimentary one-year Experian IdentityWorks membership offered by the passenger railroad service. They should also consider taking additional steps to safeguard themselves against attacks that could attempt to exploit their exposed information. Those measures should begin with creating a strong, unique password for their Guest Reward accounts. For best practices on how to do so, click here. Finally, they can use these steps to deter the efforts of identity thieves.
 
