Amtrak reports data breach of traveler Guest Rewards

On June 18, 2024, Amtrak reported a data breach affecting the Guest Rewards accounts of its train travelers. The breach occurred between May 15-18, 2024, and involved unauthorized access to sensitive account information through the use of compromised credentials from prior breaches.

The breach did not involve a direct hack of Amtrak's systems but abused stolen usernames and passwords to access accounts. Attackers managed to take over some accounts, changing email addresses and passwords to lock out legitimate users.

Amtrak responded by reverting email addresses to their original owners and initiating password resets for affected accounts.

Exposed Data:

• Name
• Contact information
• Amtrak Guest Rewards account number
• Date of birth
• Payment details (partial credit card number and expiration date)
• Gift card information (card number and PIN)
• Transaction and trip information

Amtrak has not disclosed the exact number of affected individuals.

The company urged customers to change their passwords and implement multifactor authentication (MFA) to prevent future unauthorized access.