Passenger details exposed in LNER third-party data breach

Operator confirms breach linked to external supplier but says no financial data at risk

London North Eastern Railway (LNER) confirmed on Wednesday that a cyber-attack on a third-party supplier exposed passenger data, including contact information and records of previous journeys.

LNER has not named the supplier involved or specified how long the attackers had access to the files, but says no bank details, card information or passwords were exposed.

The operator said it was working with security specialists to understand the full impact of the breach. “We are treating this matter with the highest priority and are working closely with experts and with the supplier to understand what has happened and to make sure appropriate safeguards are in place,” the company said. “We will provide further updates as more information becomes available.”

Although LNER claims the affected third-party supplier involved did not have access to its password records, it did encourage customers to “maintain a secure password.”

The operator also assured customers that services and ticketing remain operational, with no disruption to timetables.

Nonetheless, passengers have been warned to watch out for unsolicited messages, particularly those asking for personal details.

A wider pattern of cyber incidents

The disclosure comes amid a run of cyber incidents across the UK transport and retail sectors. Transport for London was hit in September last year when bank details of around 5,000 customers were accessed, leading to weeks of online disruption. More recently, Jaguar Land Rover halted production after attackers infiltrated its systems. Retailers including Marks & Spencer, Harrods and the Co-op have also been targeted this year, underlining the vulnerability of consumer-facing services to data breaches.

As was the case at Marks & Spencer and Harrods, supply-chains are being ruthlessly targeted by cyber criminals. Operators rely on third-party providers for essential systems so a single compromise can open the door to large volumes of customer data.

Computing says:

LNER has declined to provide any details about the supplier involved, and has emphasised in its response that, as far as it is presently aware, financial data has not been compromised. However, the type of data that was breached is often sold on, or stolen and used to carry out scams later on.

For a state-owned operator (the franchise was taken over by the Department of Transport in 2018 after the previous holder handed it back following financial difficulties) carrying millions of passengers each year, maintaining public confidence in its handling of personal data may prove as important as keeping services running on time.