The incident, which took place in mid-October, follows major breaches at several airlines — but this time around no payment details were affected
Eurostar has reset all customers’ online passwords after detecting an “attempted” hack, the rail company confirmed.
The incident follows major breaches at several airlines.
Eurostar customers reported receiving emails from Eurostar earlier this week notifying them of the reset and attributing it to an “automated attempt” to access Eurostar accounts using email addresses and passwords.
The company hasn’t confirmed whether the attempted hack was successful or how many users may have been affected.
The hacking campaign was carried out from 15 to 19 October, Eurostar said, adding that it has notified the Information Commissioner’s Office (ICO).
Eurostar had previously informed users that the password reset was due to “maintenance” carried out on the Eurostar website.
“We’ve since carried out an investigation which shows that your account was logged into between the 15 and 19 October,” Eurostar said in the customer email. “If you didn’t log in during this period, there’s a possibility your account was accessed by this unauthorised attempt.”
Customers were told to look for signs of “unusual” activity in their accounts and to reset their credentials on other sites where they have reused their Eurostar passwords.
Eurostar told Silicon UK it had carried out the rest as a “precaution”, adding that no payment data was affected.
“We deliberately never store any payment details or bank card information, so there is no possibility of those being compromised,” the company said.
The ICO said it was looking into the matter.
“We’ve received a data breach report from Eurostar and are making enquiries,” the ICO stated.
The new GDPR data protection rules require firms to report breaches that involve EU citizens to the regulator within 72 hours, even if they do not yet have full details.
British Airways recently said it had uncovered two distinct attacks, one involving 380,000 transactions made over its website and the other resulting in the theft of payment card data from 185,000 people.