The operator of one of the UK’s busiest rail lines has admitted that an unauthorized third party has accessed customer details via a supplier.
LNER, the government-owned company that runs east coast services between London and Scotland, revealed the incident in an online update yesterday.
“We have been made aware of unauthorised access to files managed by a third-party supplier, which involves customer contact details and some information about previous journeys,” it said.
“Importantly, no bank, payment card or password information has been affected.”
However, the train operator did warn that compromised information could be used to target customers in follow-on attacks.
“Please be cautious of unsolicited communications, especially those asking for personal information. If in doubt, do not respond,” it urged.
Read more on threats impacting the rail industry: Cybercriminals Hack UK Rail Network Wi-Fi
LNER’s warnings were echoed by security experts.
“The data exposed in the LNER breach, while not of critical security context, can still be used to generate compelling phishing documents and other attacks against a user’s identity,” said Huntress senior security operations analyst, Michael Tigges.
“Incidents such as these are a stark reminder that while the primary organization may protect our data, third parties around the world constantly handle data and personal information in the regular course of their business.”
He urged businesses to carry out regular tabletop exercises, as well as data discovery, to understand where sensitive information flows out of the organization and how it is protected.
“End users should consider hardening their identities (emails and personal information) with identity threat detection and response systems to help detect attacks that may weaponize the information stolen,” Tigges added.
As no passwords were stolen in the incident, LNER is not resetting customer credentials, although it reminded them that “it is always good practice to maintain a secure password and to change passwords regularly.”
In a speech in London yesterday, security minister Dan Jarvis called out several government initiatives designed to crack down on cyber and fraud threats.
“We are boosting police powers through the Crime and Policing Bill, so that law enforcement can suspend IP addresses and domain names being used to facilitate serious crime,” he said.
“And I am driving forward across government the new package of legislative measures we intend to introduce in the coming year to protect UK businesses from ransomware.”
Image credit: Bradley Caslin / Shutterstock.com
