Hackers were able to gain unauthorised access to the IT platform of Rail Europe's e-commerce websites for three long months before the firm was alerted to a possible breach by one of its banks.
Rail Europe recently confirmed that the IT platform of its e-commerce websites, that are used by people in the US to book train tickets in Europe, was subject to unauthorised access by hackers who then exploited the access to possibly steal a large trove of customer data.
It warned that hackers behind the operation "may have compromised" sensitive personal information of people who booked tickets on the e-commerce websites. Such information included names, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers, and, in some cases, username and password of registered users who created personal accounts on a RENA website.
According to the letter, hackers obtained unauthorised access to the IT platform on 29 November and continued to access customer data until the operation was detected on 16 February, following which all compromised servers were taken offline. It is possible that the hacking would have continued had the bank not discovered evidence of fraudulent activity.
Mark James, a security specialist at ESET, told SC Magazine UK that information gathered by hackers from Rail Europe's IT platform is enough to make purchases online without the end user being present or aware. Details such as credit card numbers, expiration dates, card verification codes along with name, gender, delivery and invoicing addresses, phone numbers, and email addresses in the hands of fraudsters could leave a huge number of users with financial worries.
To its credit, Rail Europe disclosed the breach to affected customers shortly after the breach was discovered and took active steps to ensure that existing vulnerabilities were plugged.
"RENA replaced and rebuilt all compromised systems from known safe code, any potentially untrusted components were removed, passwords were changed on all systems and applications, certificates were renewed, and security controls were hardened. RENA has also provided notice to the credit card brands and our credit/debit card transaction processors," the firm said.
At the same time, the firm also offered identity theft protection services through ID Experts® to affected customers along with 12 months of Credit and CyberScan monitoring, a US$ 1,000,000 (£740,000) insurance reimbursement policy, and exclusive educational materials.
However, how hackers could infiltrate the IT platform of Rail Europe's e-commerce websites and stay hidden for nearly three months without being detected is a question that the firm needs to answer to win back the trust of affected customers.
Patrick Hunter, director at One Identity, told SC Magazine UK that a hacker wouldn't have been able to get inside the web server and gain sufficient privilege to install malware without stealing an internal account with privileged rights first. The fact that Rail Europe changed their passwords is an indication that hackers may have gained access to the IT platform through this route.
"Attacks like this are generally a chain of events. The hacker has to gain access to the network or the webserver directly or via an exploit, then search around for the right accounts in order to get their software in place before finding a method to elevate to that account. If companies used best practice with regards to passwords by regularly changing them, or even better locking them away so that no one actually knows them, then these situations can be avoided.
"If you have to ask for the password for a particular server every time you wish to access it, and gain some form of permission via a workflow or use two-factor authentication, then it is significantly harder to gain those rights," he added.
Ryan Wilk, vice president at NuData Security, said that firms that run e-commerce websites need to implement multi-layered solutions that incorporate passive biometrics and behavioural analytics in order to defend against such intrusions.
"With these multi-layered solutions, verification is derived from hundreds of indicators based on the user's online behaviour – not relying on a password or challenge questions. These behaviours cannot be mimicked by hackers, protecting customers and businesses from post-breach damage. Today's news is a call to action for every entity handling customer payment data and other personally identifiable information," he added.
In a separate development in Denmark on Sunday, a DDoS attack prevented travellers from buying DBS train tickets via online service DSB app, on its website, at ticket machines and in 7-Eleven kiosks at stations.
DBS' internal mail and telephone systems were also hit. Passengers without travel cards were able to buy tickets from staff on the trains and DSB reported that all systems were back to normal by Monday.