Attacker steals customer data from Brit rail operator LNER during break-in at supplier
- Reference: 1757585706
- News link: https://www.theregister.co.uk/2025/09/11/lner_says_customer_data_stolen/
- Source link:
It confirmed the incident on Wednesday, saying customer contact details and "some information about previous journeys" was accessed at a third-party supplier.
Drift massive attack traced back to loose Salesloft GitHub account [1]READ MORE
London North Eastern Railway (LNER) did not name the third party responsible for the intrusion, but assured that whichever company it was, it does not store details such as bank accounts, payment cards, or passwords.
"We will provide further updates as more information becomes available," it said in its [2]most recent statement .
A factsheet supplied to customers confirms that the attack has not impacted its ticketing or rail services, which focus on long-distance inter-city services with the main hubs being in Edinburgh, Leeds, London, Newcastle, and York.
[3]
However, customers are advised to be wary of potential [4]phishing attempts .
[5]
[6]
"Please be cautious of unsolicited communications, especially those asking for personal information. If in doubt, do not respond."
LNER said customers do not need to inform their bank about the incident, and while it fell short of recommending a password reset, it said: "It is always good practice to maintain a secure password and to change passwords regularly."
[7]
The rail operator did not confirm who was behind the intrusion, or whether it was related to the ongoing [8]attacks on high-profile organizations connected to [9]Salesloft Drift , although experts say it's a possibility.
"Information relating to this breach is vague, so it's hard to say exactly how this attack was executed," said William Wright, CEO at Closed Door Security.
[10]Deutsche Bahn train hits 405 km/h without falling to bits
[11]A software-defined radio can derail a US train by slamming the brakes on remotely
[12]Deutsche Bahn stands to lose €400M if it has to do Huawei with Chinese kit
[13]Train operator phlunks phishing test by teasing employees with non-existent COVID bonus
"We know it occurred on a supplier to LNER, but we don't know if it was an insider breach, where an employee at the supplier gained access to LNER data, or if the data was accessed by a threat actor that exploited the supplier to gain access to its systems.
"If it does turn out to be the latter, then the incident could be related to the recent attacks on Salesforce, which have been affecting organizations globally.
"Regardless of how the attack was executed, LNER customers should take note of the advice offered by the organization."
[14]
The Register asked LNER for more details, including how many customers are affected, whether the attackers still have access to company data, and more.
LNER refused to comment further at this stage. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/
[2] https://www.lner.co.uk/news/lner-media-update-data-information/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMLyFsq_b6rd0JH_fXo_1wAAAM8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMLyFsq_b6rd0JH_fXo_1wAAAM8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMLyFsq_b6rd0JH_fXo_1wAAAM8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMLyFsq_b6rd0JH_fXo_1wAAAM8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/09/02/zscaler_customer_data_drift_compromise/
[9] https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/
[10] https://www.theregister.com/2025/06/30/deutsche_bahn_test/
[11] https://www.theregister.com/2025/07/14/train_brakes_flaw/
[12] https://www.theregister.com/2023/08/05/huawei_deutsche_bahn_germany/
[13] https://www.theregister.com/2021/05/11/west_midlands_trains_phishing_drill_goes_off/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMLyFsq_b6rd0JH_fXo_1wAAAM8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
Transport for Wales Rail and ScotRail (and Northern Ireland Railways, come to that, which was never privatised) are already directly owned by their respective national governments.
It's sadly often the case that the regent government-for-England tends to only do something progressive after the other nations of the UK have already done so (yes, we all either own or directly manage our water services as well). ;-)
(InterCity East Coast was indeed taken back into state operation (as LNER) earlier than those others, but was originally intended to be only a temporary operator, before it finally became clear that privatisation really wasn't working overall, that the public were fed up with it, and that the remaining English and internal cross-border train operating companies should also be renationalised.)
Whilst correct if the loss occurred at the third party it is not exactly down to the Government's failing. So much is outsourced it is difficult to see where the lines of actual responsibility are. Managlement like to manage contracts and SLAs. Then when it all goes tits-up they point fingers at the third party and say "not our fault".
It is a common theme and as far as I can see is a way of divesting the difficult technical or financial responsibility to others with the inevitable crap outcome.
As an aside the ticketing platform that LNER developed (with third parties) is going to be adopted to replace all the other apps and one assume the National Rail app. Maybe this is what got zapped.
Worthwhile pointing out that LNER is owned by the government as an operator of last resort.
As contracts expire, eventually ever rail operator in England (not sure about ScotRail, might already be owned by the Scots, or Wales) will become part of this scheme.