Hacker finds data security weak spot in Swiss railway system

An anonymous hacker gained access to the personal data of thousands of passengers who bought tickets from Swiss Federal Railways.

The embarrassing IT security weak spot in the Swisscard system, which has since been fixed, was reported to the Rundschau programmeExternal link on Swiss public television, SRF, on Monday.

The information included the names of the travellers, their date of birth, the number of first- and second-class tickets purchased and the place of departure and destination.

The hacker told Rundschau that the recent attack required no specialist IT knowledge: “The sensitive data was practically public on the internet.”

The data was never made public and has been returned to Swiss Railways. The hacker said they had no criminal intent but merely wanted to expose the problem.

The Federal Data Protection Commissioner was informed of the security breach.

'Potential for abuse'

“This is a huge meltdown for Swiss Railways," Otto Hostettler, a journalist and author specialising in internet crime, told Rundschau. “Such data can be sold in hacker forums on the dark web. In the wrong hands it would have great potential for abuse.”

This has been demonstrated by hacks into Swiss municipal databases in recent months, including the towns of MontreuxExternal link and Rolle in western Switzerland.

The group that hacked the Rolle database posted information on the dark net and warned it could attack other towns, companies or hospitalsExternal link.

Swiss news magazine Beobachter reported that 2,700 Swiss companies fell victim to ransomware hacks between August 2020 and August 2021. An article in Le Temps newspaper in December estimated that around 2,000 ransomware attacks targeted SwitzerlandExternal link last year.

Swiss companies fear cyberattacks more than Covid-19 disruptionsExternal link, according to a survey by insurer Allianz published earlier this month.