Amtrak discloses data breach, users urged to reset passwords

US passenger railroad service Amtrak, which operates intercity rail services in nearly all states, has started informing some customers of a data breach.

“We recently learned that an unauthorized party may have used your login credentials to gain access to your Amtrak Guest Rewards account,” the company said.

The unusual activity was observed between May 15th, 2024, and May 18th, 2024. Amtrak insists that login credentials were likely obtained from third-party sources rather than Amtrak’s systems.

The data breach notification letter to the authorities in Massachusetts doesn’t disclose how many customers might have been affected by the security incident.

In 2023, 28 million people rode Amtrak trains. Its guest rewards programs let members earn points that can subsequently be exchanged for reward travels, upgrades, and gift cards, among other things.

We’ve contacted the company to learn more about the scope of the incident and will update the article as soon as we hear more.

Threat actors might have accessed the following data:

  • Name
  • Amtrak Guest Rewards account number
  • Date of birth
  • Partial credit card details
  • Gift card information
  • Transaction data
  • Travel history

This isn’t the first time that the Amtrak Guest Rewards program has experienced a security incident. In 2020, it disclosed a similar incident involving customers’ Guest Reward accounts. The scope of the breach wasn’t revealed back then, either.

If you’re a Guest Rewards member and have received a similar email, you should immediately change your login credentials and enable multifactor authentication.