A hacker has raised the alarm after discovering a vulnerability impacting Switzerland’s Railways. The flaw allowed the hacker to gain access to personal data belonging to around 500,000 individuals who had purchased tickets to ride on Swiss Federal Railways (SFR).
After detecting a entry point in SFR’s Swiss Card system, the hacker reported SRF, a public television in Swiss
Information left vulnerable by the flaw included passenger names, dates of birth, the number of first- and second-class tickets they purchased, places of departure and final destinations.
The sensitive data was available publicly on the internet. The security breach was reported to Switzerland’s Federal Data Protection Commissioner.
According to Swiss Info, the data compromised by the hacker was never made public and has since been secured by SFR. The hacker said that their motivation in exploiting the flaw was to expose its existence in the hope of averting a potentially malicious cyber-attack.
These data can be sold in hacker forums on the dark web. In the wrong hands, it would have great potential for abuse. Cyber-criminals have been known to target the Swiss rail industry. In a similar incident that took place in May 2020, hackers stole data from Swiss train manufacturer Stadler Rail and demanded a payment of $6m in Bitcoin for its return.