Hacker Flags Flaw in Swiss Railway System
An anonymous hacker has raised the alarm after discovering a vulnerability impacting Switzerland’s national railway system.
The flaw allowed the hacker to gain access to personal data belonging to around 500,000 individuals who had purchased tickets to ride on Swiss Federal Railways (SFR).
After detecting a weak spot in SFR’s Swiss Card system, the hacker reported it to the Rundschau show, which airs on Swiss public television, SRF.
Information left vulnerable by the flaw included travelers’ names, dates of birth, the number of first- and second-class tickets they purchased, places of departure and final destinations.
Speaking to the Rundschau program, the hacker said that anyone could have easily viewed the data as no specialist IT knowledge was needed to exploit the flaw.
“The sensitive data was practically public on the internet,” said the hacker.
The security breach was reported to Switzerland’s Federal Data Protection Commissioner.
According to Swiss news site Swiss Info, the data compromised by the hacker was never made public and has since been secured by SFR.
The hacker said that their motivation in exploiting the flaw was to expose its existence in the hope of averting a potentially malicious cyber-attack.
“This is a huge meltdown for Swiss Railways,” Otto Hostettler, an author and journalist specializing in cybercrime, told the Rundschau program.
“Such data can be sold in hacker forums on the dark web. In the wrong hands, it would have great potential for abuse.”
Cyber-criminals have been known to target the Swiss rail industry. In May 2020, hackers stole data from Swiss train manufacturer Stadler Rail and demanded a payment of $6m in Bitcoin for its return.
Following the attack, Stadler released a statement saying that it “is not and has never been willing to make payments to blackmailers and has not entered into negotiations.”
In response to Stadler’s rebuff, the cyber-thieves published images of some of the stolen files on the internet. A message accompanying the images stated that the criminals had swiped no fewer than 10,000 documents from the train maker.
The company said it had backups of all the data compromised in the attack.
More Stories
Security at the core of Intel’s new vPro platform
Intel has introduced its 13th Generation Core processor line, which the company claims is the first to build threat detection...
New Post-Exploitation Attack Method Found Affecting Okta Passwords
The flaw derives from the way the Okta system records failed login attempts to instances Read More
Fake GPT Chrome extension steals Facebook session cookies, breaks into accounts
The world has gone ChatGPT bonkers. Which makes it an effective lure for cybercriminals who may want to break into...
Critical flaw in AI testing framework MLflow can lead to server and data compromise
MLflow, an open-source framework that's used by many organizations to manage their machine-learning tests and record results, received a patch...
New vulnerabilities found in industrial control systems of major vendors
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories on 49 vulnerabilities in eight industrial control systems (ICS)...
Mass Ransomware Attack
A vulnerability in a popular data transfer tool has resulted in a mass ransomware attack: TechCrunch has learned of dozens...