Amtrak, the US passenger railroad service operating intercity rail services in nearly all states, has informed some customers of a data breach. The company disclosed that an unauthorized party might have used login credentials to access Amtrak Guest Rewards accounts. This unusual activity was observed between May 15 and May 18, 2024. Amtrak believes the credentials were obtained from third-party sources, not their own systems.
The breach notification to Massachusetts authorities did not specify how many customers were affected. In 2023, Amtrak had 28 million passengers, and its Guest Rewards program allows members to earn points for rewards, upgrades, and gift cards. The company is working to determine the scope of the incident and will provide updates as more information becomes available.
Threat actors may have accessed sensitive information, including names, Amtrak Guest Rewards account numbers, dates of birth, partial credit card details, gift card information, transaction data, and travel history. This incident is not the first for the Amtrak Guest Rewards program; a similar breach occurred in 2020, but the scope was not revealed.
Amtrak advises affected Guest Rewards members to change their login credentials immediately and enable multifactor authentication for added security. The company emphasizes the importance of taking these steps to protect personal information and prevent unauthorized access in the future.
