Americans who booked European train tickets through Rail Europe North America (RENA) may be victims of a near-three month data breach of their e-commerce system. The leading worldwide distributor of European rail products, from rail passes to train tickets and reservations, they provide access to over 50 European train companies including SNCF, Eurostar, Thalys and many more. On April 30th, they issued a breach notification with the California Attorney General’s Office stating that “On February 16, 2018, as a result of a query from one of our banks, we discovered that beginning on November 29, 2017, through February 16, 2018, unauthorized persons gained unauthorized access to our e-commerce websites’ IT platform.”
The personal information that may have been involved is: name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers, and, in some cases, username and password of registered users who created personal accounts on a RENA website.
The breach notification detailed the response to this, RENA replaced and rebuilt all compromised systems from known safe code, any potentially untrusted components were removed, passwords were changed on all systems and applications, certificates were renewed, and security controls were hardened. RENA has also provided notice to the credit card brands and our credit/debit card transaction processors.
In addition, we are offering identity theft protection services through ID Experts®, the data breach and recovery services expert, to provide you with MyIDCare™. MyIDCare services include: 12 months of Credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and fully managed ID theft recovery services.
Paul Bischoff, Privacy Advocate at Comparitech.com told us; “The breach at Rail Europe is disconcerting not only because of what information was accessed by hackers, but how that information was accessed. Data breaches typically occur when a hacker gains unauthorized access to a database. In this case, however, the hackers were able to affect the front end of the Rail Europe website with “skimming” malware, meaning customers gave payment and other information directly to the hackers through the website. While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe.”
Ryan Wilk, vice president at NuData Security, a Mastercard company, stated “This is exactly why so many eCommerce entities, merchants, and financial institutions are turning to multi-layered solutions that incorporate passive biometrics and behavioural analytics. With these technologies, even when consumer information is stolen, the breached credentials cannot be used to log into someone else’s account to or to make a fraudulent transaction. With these multi-layered solutions, verification is derived from hundreds of indicators based on the user’s online behaviour – not relying on a password or challenge questions. These behaviours cannot be mimicked by hackers, protecting customers and businesses from post-breach damage. Today’s news is a call to action for every entity handling customer payment data and other personally identifiable information.”
You may also be interested in…
Read: DDoS cyber attack cripples Danish Rail’s ability to sell tickets.
Read: Legislation to “restore, revamp, and resource” transport security in the US announced.
Visit: Transport Security Congress, June 11-12, 2018.
Expert view: Combating the increasingly sophisticated digital threat to rail and metro.
Download: A Layered Approach for Securing “Internet of Things” Devices in Transportation.