Cyber Incident Victim: Amtrak

On April 16, 2020, Amtrak detected unauthorized access to its Amtrak Guest Rewards accounts, a loyalty program enabling travelers to accumulate points redeemable for discounts, hotels, and gift cards. The breach involved fraudulent access by an unknown third party using compromised usernames and passwords, indicating potential credential theft or brute-force attacks. Amtrak revoked the unauthorized access within hours of discovery. The company confirmed that while personally identifiable information (PII) was viewable in some accounts, Social Security numbers, credit card details, and other financial data remained unaffected. By April 29, 2020, Amtrak formally notified the Vermont Attorney General’s Office of the incident, disclosing that attackers had targeted customer accounts but did not penetrate core financial systems or corporate networks.

Amtrak enforced mandatory password resets for all impacted Guest Rewards accounts and offered one year of free Experian credit monitoring to affected customers. The breach highlighted broader cybersecurity risks within the travel sector, an industry frequently targeted due to its storage of sensitive customer data. Amtrak collaborated with external cybersecurity experts and law enforcement agencies to investigate the incident and implement enhanced security measures. While the exact number of compromised accounts was not disclosed, the incident followed a pattern of high-profile travel industry breaches, including contemporaneous incidents at Marriott (impacting 5.2 million guests) and easyJet (exposing data of nine million users). Amtrak’s containment actions focused on rapid access revocation and credential resets, with no reported evidence of subsequent misuse of exposed data at the time of disclosure.