Cyber Incident Victim: GWR

In early April 2018, Great Western Railway (GWR) detected unauthorized automated attempts to access customer accounts on its GWR.com platform. The attackers targeted over a million accounts over approximately one week, successfully compromising around 1,000 accounts containing passenger details. The rail operator, part of FirstGroup and serving routes between London, Penzance, and Worcester, quickly terminated the malicious activity upon discovery. Affected customers were directly notified of the breach. GWR confirmed that financial data remained protected due to encryption measures. The company observed that the attackers' low success rate indicated the credentials used were likely obtained from external sources rather than through a direct compromise of GWR's systems. As a precaution, GWR proactively reset passwords for all customer accounts, regardless of whether they showed evidence of compromise.

The incident prompted customer concerns regarding the legitimacy of GWR's breach notification emails, as some recipients questioned unusual sender addresses. Cybersecurity analysts suggested the attackers probably utilized credentials obtained from previous third-party breaches available on dark web markets, exploiting customers' tendency to reuse passwords across multiple services. The breach exposed non-financial passenger details but did not compromise encrypted banking information. GWR's response focused on rapid containment through account resets and direct communication with impacted individuals, while external experts emphasized the broader pattern of credential-stuffing attacks following major data leaks elsewhere. The company did not disclose specific technical details about the attack vector or the types of non-financial data accessed beyond confirming customer account breaches.