“They type of attack we saw yesterday is a new way of doing things that we haven’t seen before..."
Cyber security (or lack of…) has been one of the most consistent themes running through business news stories these recent years. Elements of rail and metro have been slow to wake up to the threat, but two events from last week, have reiterated the importance of a robust and updated cyber-security for both operational and passenger focussed systems. Firstly, it was revealed that Americans who booked European train tickets through Rail Europe North America (RENA) may be victims of a near-three month data breach of their e-commerce system. Whilst Danske Statsbaner (DSB) the largest Danish train operating company was struck by a significant Distributed Denial of Service (DDoS) cyber attack. The company has confirmed that this attack was the cause of passengers being unable to buy tickets on the 13th May via the company’s app, ticket machines, website and in shops.
RENA, the leading worldwide distributor of European rail products, from rail passes to train tickets and reservations, they provide access to over 50 European train companies including SNCF, Eurostar, Thalys and many more. On April 30th, they issued a breach notification with the California Attorney General's Office stating that “On February 16, 2018, as a result of a query from one of our banks, we discovered that beginning on November 29, 2017, through February 16, 2018, unauthorized persons gained unauthorized access to our e-commerce websites’ IT platform.”
The personal information that may have been involved is: name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers, and, in some cases, username and password of registered users who created personal accounts on a RENA website.
The breach notification detailed the response to this, RENA replaced and rebuilt all compromised systems from known safe code, any potentially untrusted components were removed, passwords were changed on all systems and applications, certificates were renewed, and security controls were hardened. RENA has also provided notice to the credit
Paul Bischoff, Privacy Advocate at Comparitech.com told us; “The breach at Rail Europe is disconcerting not only because of what information was accessed by hackers, but how that information was accessed. Data breaches typically occur when a hacker gains unauthorized access to a database. In this case, however, the hackers were able to affect the front end of the Rail Europe website with “skimming” malware, meaning customers gave payment and other information directly to the hackers through the website. While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe.”
Ryan Wilk, vice president at NuData Security, a Mastercard company, stated “This is exactly why so many eCommerce entities, merchants, and financial institutions are turning to multi-layered solutions that incorporate passive biometrics and behavioural analytics. With these technologies, even when consumer information is stolen, the breached credentials cannot be used to log into someone else’s account to or to make a fraudulent transaction. With these multi-layered solutions, verification is derived from hundreds of indicators based on the user’s online behaviour – not relying on a password or challenge questions. These behaviours cannot be mimicked by hackers, protecting customers and businesses from post-breach damage. Today’s news is a call to action for every entity handling customer payment data and other personally identifiable information.”
Cyber security for rail and metro a major focus at Transport Security Congress 2018 (Washington D.C., June 11th – 12th, with confirmed speakers including Sonya Proctor (Director Surface Transportation, Office of Security, TSA). Simon Arnell (DXC Security Chief Technologist, DXC Technology), David Henderson (Rail Cyber Security, UK Department for Transport) and Vito de Santis (Director ICS/PCI Security, Risk & Compliance, MTA New York City Transit) among others. Limited tickets still available.
Whilst in further news for the rail industry, in Denmark, DSB confirmed that this attack was the cause of passengers being unable to buy tickets yesterday (13th May) via the company’s app, ticket machines, website and in shops. This issue was resolved within a day DSB confirmed. Passengers with travel cards were able to use them, while others purchased tickets from ticket inspectors on board trains.
“Our technicians and IT contractors have analysed this closely during the night and have concluded this is an outside attack in which someone has attempted to bring our system down,” DSB vice-director Aske Wieth-Knudsen told journalists.
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
Reported in The Local, the attack also hit DSB Internal mail and telephone, rendering the company able to communicate via social media or provide staff or customers with further information. A similar issue earlier this year was caused by an electronic failure rather than a cyber attack.
“They type of attack we saw yesterday is a new way of doing things that we [DSB, ed.] haven’t seen before. So a little more close analysis is required for us to see what exactly happened so we can prevent a re-occurrence,” Wieth-Knudsen told DR.
In October 2017, DDoS attacks hit Sweden's transportation network causing delays to operations. They crashed the IT system that monitors trains' locations as well as taking down email systems, websites, and road traffic maps. Customers during this time were unable to make reservations or receive updates on the delays, BleepingComputer reported citing local Swedish news reports.
Network Rail, last month also issued a statement reiterating the importance of this area to them; with Wayne Watson, head of security governance stating; “Cyber security is an important element of maintaining a safe and reliable railway. All Network Rail staff are responsible for protecting our rail cyber systems and networks so that they are available, keeping people safe and delivering the service our customers expect.”
You may also be interested in...
Expert view: Combating the increasingly sophisticated digital threat to rail and metro. (Transport Security World)