Hackers stole customer data from Rail Europe’s website for three months
15 May 2018
Rail Europe North America Inc recently confirmed that between November and February, unknown hackers gained unauthorised access to its e-commerce website and possibly stole sensitive customer data such as name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers.
The affected e-commerce website is used by U.S. citizens to purchase train tickets in Europe. Rail Europe hasn’t confirmed exactly how many customers were affected by the three-month-long breach but is offering identity theft protection services to all users to ensure details accessed by hackers are not misused.
Breach went undetected for three months
The breach was discovered not by Rail Europe’s internal malware-detection systems, but after the firm was alerted about a possible data breach by one of its banks. However, after confirming that the breach did take place, it took swift measures to plug the breach and to secure customer data from further unauthorised access.
“On February 16, 2018, as a result of a query from one of our banks, we discovered that beginning on November 29, 2017, through February 16, 2018, unauthorized persons gained unauthorized access to our e-commerce websites’ IT platform.
“Upon discovery that this malicious intrusion may have compromised users’ personal information, we immediately cut off from the Internet all compromised servers on February 16, 2018, and engaged information security experts to assist with forensic analysis, system restoration and security hardening.
“The personal information that may have been involved is: name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers, and, in some cases, username and password of registered users who created personal accounts on a RENA website,” Rail Europe said.
It added that a series of steps it took to secure customer data from unauthorised access included changing of passwords on all systems and applications, renewing certificates, hardening of security controls, replacing and rebuilding compromised systems from known safe code, and removing potentially untrusted components.
“This is exactly why so many eCommerce entities, merchants, and financial institutions are turning to multi-layered solutions that incorporate passive biometrics and behavioural analytics. With these technologies, even when consumer information is stolen, the breached credentials cannot be used to log into someone else’s account to or to make a fraudulent transaction,” said Ryan Wilk, vice president at NuData Security.
“With these multi-layered solutions, verification is derived from hundreds of indicators based on the user’s online behaviour – not relying on a password or challenge questions. These behaviours cannot be mimicked by hackers, protecting customers and businesses from post-breach damage. Today’s news is a call to action for every entity handling customer payment data and other personally identifiable information,” he added.