If you've ever bought an Amtrak ticket or contacted customer support, your personal information may now be circulating online. As first reported by Cybernews, the hacking group ShinyHunters posted a ransom demand on April 12 claiming to have stolen 9.4 million Amtrak customer data records. The group threatened to release the Amtrak data unless the ransom was paid by April 14. The deadline passed. The data – or at least a portion of it – went public.
Have I Been Pwned, the breach notification service that independently verifies leaked datasets, confirmed over 2.1 million unique customer accounts in the released files. The exposed information includes names, email addresses, physical addresses, and customer support records. Amtrak has not issued a public statement, confirmed the breach, or notified customers. ShinyHunters' claim of 9.4 million records stolen has not been independently confirmed.
While no password or payment data was leaked, the customer support records are more valuable to scammers than most people assume. Those records can contain details about specific trips you booked, delays you reported, billing disputes you filed, and stations you use regularly. That's enough to craft a convincing phishing email that references your real travel history. An Amtrak customer who receives a message mentioning their last trip and asking them to confirm their account details has no obvious reason to be suspicious.
The same group behind a recent ADT breach
ShinyHunters claimed the stolen data came from Amtrak's Salesforce database – the same customer relationship management platform the group breached at ADT days later. Reports indicate the breach involved a social engineering call that tricked an employee into handing over login credentials. Amtrak has not confirmed how the hackers got in.
ShinyHunters has been running this playbook across dozens of organizations. Cisco, Hallmark, Rockstar Games, and McGraw-Hill are among the other known victims this year.
What you should do now
Go to Have I Been Pwned and enter your email address to see if it appears in the Amtrak breach. Be suspicious of any email, text, or call claiming to be from Amtrak, especially ones that reference your past trips or bookings. Don't click links in those messages; go directly to Amtrak.com if you want to confirm information you receive.
Monitor your credit and consider placing a fraud alert with the three major bureaus – Equifax, Experian, and TransUnion. In our article How to freeze your credit to stop identity theft, we walk you through how to place a fraud alert or a freeze on your credit.
[Image credit: Amtrak]
