British rail passengers urged to stay on guard after hack signals failure

Passengers of the UK's state-owned London North Eastern Railway (LNER) have been warned to be vigilant after cybercriminals accessed traveller's contact details and some information about past journeys.

According to an advisory issued by LNER on its website, the railway became aware that customer information had been accessed following a security breach involving an unnamed third-party supplier.

The good news is that LNER says that no banking or payment details, or password data, was accessed during the cyber attack, and that train schedules and ticket sales have not been impacted.

Nonetheless, that does not mean that there are no risks at all. For that reason LNER is warning customers to remain "cautious of unsolicited communications, especially those asking for personal information."

That's good advice from LNER, because in the past cybercriminals and fraudsters have used the personal data that they have been able to access as a stepping-stone for gathering more information from individuals - which, when combined, could lead to more serious problems down the line.

For instance, if a hacker has managed to determine the email address or phone number of an LNER customer, it would be trivial fo them to contact the passenger claiming to be from LNER themselves. The scammers could suggest that they are offering compensation to a passenger inconvenienced by a late train, or even by the actual data breach, and ask them to visit a link to log into their account or enter their payment information.

In this way, a cybercriminal could relatively easily gather the essential information to commit fraud that their initial attack failed to scoop up.

LNER says is not resetting customer credentials, as no passwords were stolen in the breach. However, it has told customers that "it is always good practice to maintain a secure password and to change passwords regularly."

Unfortunately I don't agree with the advice to change passwords regularly. I do think that it is a good idea to have a strong, unique password that you are not using anywhere else on the internet. Ideally you should store it in a secure password manager, which will mean that you don't have to rely upon your memory - a tricky challenge when you may have hundreds of different passwords.

But telling people to change their passwords regularly, can lead to people actually choosing weaker or more predictable passwords. Imagine, for instance, if your workplace demanded that you changed your login password on the first day of every month. Isn't there an increased chance that people will opt for something weak like "password1", "password2", "password3", or "passwordjan", "passwordfeb", "passwordmar"?

Better to have a strong, unique password I would say - and only change it when there is a need to change it.

LNER says that it has engaged with the third-party supplier involved and cybersecurity experts to establish the full nature of the security breach, and ensure that all necessary safeguards are in place to prevent such a similar breach from happening again.

I can't help but feel sorry for not only LNER's customers, but also LNER itself. After all, it is their brand which has been tarnished by the data breach - even though it doesn't appear that it happened on their computer systems, but rather on the IT of an as-yet unnamed supplier.

Of course, there is a responsibility on all companies to demand that their suppliers take security seriously and have defensive measures in place, especially when they handle information about customers.

Here’s hoping LNER and its suppliers get their cybersecurity back on track — before passengers lose faith and the whole operation goes off the rails.