Industry News

Rail Europe data breach lasted almost three months

Travel website Rail Europe has informed customers that their lifelong dream to see the sights of Europe by train may have turned into a nightmare.

Real Europe North America Inc (RENA) is writing to customers to inform them that it has discovered evidence that hackers gained unauthorised access to its ecommerce website used to book tickets, and might have stolen a significant amount of sensitive data.

According to the company, personal information put at risk by the data breach includes:

  • Customers’ names
  • Customers’ gender
  • Customers’ delivery address
  • Customers’ invoicing address
  • Customers’ telephone number
  • Customers’ email address
  • Customers’ credit/debit card number
  • Payment card expiration date and CVV

In addition, in some cases, usernames and passwords of registered users may also have been grabbed. As a consequence it obviously makes sense to change your Rail Europe password, and, if you have made the mistake of using the same password anywhere else on the internet, to change those as well.

Now that would be bad news at the best of times, but what makes this data breach even worse is that it is believed that hackers had access to RENA’s systems for almost three months.

RENA first realised that it might have a problem with its Rail Europe website when it was contacted by one of its banks on February 16 2018. The company says it “immediately cut off from the internet all compromised servers” upon realising that personal information of customers’ may have been compromised, and discovered that its problems had begun on November 29, 2017.

RENA says it has since “replaced and rebuilt” the Rail Europe website, changed passwords, renewed certificates, and hardened its IT security.

In addition, in a letter filed with the California Attorney General, the company is offer identity theft protection to affected customers, in case any users suffer from identity theft as a result of the breach.

Although the number of customers affected by the data breach has not been made public by the company, the breadth of personal data which has been put at risk and the fact that hackers appear to have had access to Rail Europe’s payment systems for such a long time, underline the seriousness of the threat.

What currently remains a mystery, to the general public at least, is just how the hackers managed to breach Rail Europe’s infrastructure. One very real possibility is that the failure may have been down to poor authentication – if a hacker had been able to grab a careless IT worker’s password for a server they might have ended up with free reign to do what they like.

All businesses need to recognise the most critical parts of their infrastructure and protect them with a layered defence, forcing users to authenticate they are who they claim to be. In this modern age, a simple username and password is not enough.

Another theory is that Rail Europe’s website may have been poorly maintained, allowing a remote hacker to crowbar their way in by exploiting an unpatched vulnerability or incorrect configuration.

My advice to other companies? Test your defences. Adopt a hacking mindset and try to find your company’s weaknesses before a hacker finds and exploits them for their own gain.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.