How The Amtrak Hack Went Down
Amtrak Guest Rewards users’ personally identifiable information (PII) was compromised.
The attacker likely used compromised usernames and passwords to access some reward accounts. It’s possible more PII was exposed, but the attacker didn’t access financial data, (credit cards or SSNs).
Amtrak fixed the hole and blocked the unauthorized access within a few hours. It also initiated a password reset on potentially affected accounts.
Beyond the initial effects, the long term ramifications have major consequences.
Amtrak was required to file with regulators, highlighting the possibility of fines and additional scrutiny in the future, as well as taking a big reputational hit. In reality, it doesn’t matter that your users may reuse login information on your service—it matters that attackers targeted your service with those credentials, and customers will still want you to remedy the situation. This is all in addition to the outside security help and customer credit monitoring costs associated with mitigating the attack.
How Companies Can Prevent This Attack
It seems that Amtrak was likely not leveraging any sort of anomalous activity logging that would’ve helped highlight attacker attempts to perform “credential stuffing” – the practice of trying known credentials from other services on your application.
Functionality to authenticate the login via an unknown device should be table stakes in any online service. Simply requiring a login code sent to the registered email can stop many of these types of attacks. Upon testing by Havoc Shield, it appears Amtrak doesn’t supply any such protection.
Havoc Shield can help you roll out plug-and-play anomalous activity logging and adaptive authentication challenges via our integrated partners. We can also help highlight these types of insecurities by performing automated vulnerability scans against your online services, and presenting your team with easy to follow guidance on how to resolve them as they’re discovered (before they’re discovered by attackers).