Rail Europe had a three-month long credit card breach

It has been reported that Rail Europe, a site used by Americans to buy train tickets in Europe, has revealed a three-month data breach of credit cards and debit cards.


The announcement came in a letter filed with the California attorney general, in which the company said hackers put credit card-skimming malware on its website between late-November 2017 and mid-February 2018.

The company said credit card numbers, expiration dates, and card verification codes were stolen — everything needed by a fraudster to carry out unauthorized purchases. The hackers also stole name, gender, delivery and invoicing addresses, phone numbers, email addresses, and in some cases usernames and passwords of customers on the website.

Expert commentary on this news:


Patrick Hunter, Director at One Identity: 


“If we put aside the fact the fraud went undetected for 3 months, the questions still has to be asked:  How could a hacker get that malware onto the webserver in the first place?

A webserver isn’t like someone’s laptop where an employee, uneducated on cybersecurity, might just click on a link and unwittingly install the malware – although this maybe where the journey started.  The hackers had to get access to the webservers and then gain sufficient privilege in order to install their malware.  Rail Europe didn’t give any detail on the method of attack but it seems they suspect a hacker used an account with privileged rights as they have changed their passwords.

Either way, attacks like this are generally a chain of events.  The hacker has to gain access to the network or the webserver directly or via an exploit, then search around for the right accounts in order to get their software in place before finding a method to elevate to that account.  If companies used best practice with regards to passwords by regularly changing them, or even better locking them away so that no one actually knows them, then these situations can be avoided.  If you have to ask for the password for a particular server every time you wish to access it, and gain some form of permission via a workflow or use two-factor authentication, then it is significantly harder to gain those rights.  

Right now, breaches like this are embarrassing at the very least but with the latest revision of GDPR less than two weeks away, organisations should be looking into these simple solutions to keep their stable doors locked.”


Paul Bischoff, Privacy Advocate at Comparitech.com: 

“The breach at Rail Europe is disconcerting not only because of what information was accessed by hackers, but how that information was accessed. Data breaches typically occur when a hacker gains unauthorized access to a database. In this case, however, the hackers were able to affect the front end of the Rail Europe website with “skimming” malware, meaning customers gave payment and other information directly to the hackers through the website. While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe. 

Credit card skimming usually refers to the practice of covertly running a person’s physical card through an additional magnetic strip scanner to steal the information off of it. These “skimmers” are often placed on top of existing hardware to make it look though the skimmer is part of the original ATM or point of payment. Rail Europe seems to have adapted that terminology to their own situation.

This also means all or nearly all of customers’ payment information was current and working, making it even more valuable. Rail Europe customers should keep an eye on their accounts for unauthorized activity and immediately change their passwords. Because email addresses and other personal information was leaked, they should also be on the lookout for targeted phishing scams in the months ahead.”