The National Railroad Passenger Corporation (Amtrak) has disclosed a data breach which may have led to the compromise of customer personally identifiable information (PII).

In a letter to the Attorney General’s Office of Vermont, made public on Friday, the rail service stated that an unknown third party managed to fraudulently access Amtrak Guest Rewards accounts.

According to Amtrak, compromised usernames and passwords were used to access some accounts and some personal information may have been viewed.

The Amtrak Guest Rewards service allows passengers to accumulate points when they travel in exchange for discounts, hotels, and gift cards.

Amtrak said no financial data, credit card information or social security numbers were compromised. Amtrak’s security team investigated and terminated the unauthorized access
within a few hours, and have contained the incident. Affected customers have been offered a complementary one-year membership of Experian.