European high-speed railway service Eurostar reset all user account passwords after a security incident, according to the Telegraph.
The rail company detected unauthorized attempts to access user accounts between October 15 and 19, and immediately sent a notification email to the customers affected. Hackers used legitimate email addresses and passwords on the Eurostar website.
The company says the attack did not compromise credit card and payment details, which are not stored on their systems. They blocked accounts to prevent things from getting out of hand.
The exact number of affected accounts was not mentioned, nor was the type of data leaked.
“We have taken this action as a precaution because we identified what we believe to be an unauthorized automated attempt to access eurostar.com accounts using your email address and password,” the company told customers.
“We’ve since carried out an investigation which shows that your account was logged into between the 15 and 19 October. If you didn’t log in during this period, there’s a possibility your account was accessed by this unauthorized attempt.”
The Information Commissioner’s Office was informed and is looking into the matter.
“We’ve received a data breach report from Eurostar and are making enquiries,” said a spokeswoman.
As per GDPR requirements, companies that detect breaches affecting personal data of EU citizens must inform their customers within 72 hours. If companies don’t comply with GDPR requirements, they face hefty fines.
A number of companies operating with customer data have been hacked in the past months, including Air Canada, British Airways and Cathay Pacific. There’s no evidence linking them to the Eurostar breach.