Breach cyber

LNER (London North Eastern Railway)

Sep 11, 2025 2 min read
LNER (London North Eastern Railway)

LNER, a UK government-owned rail operator, confirmed that an unauthorized third party accessed customer data via one of its suppliers. The breach exposed customer contact details and partial journey history, though no financial (bank/payment card) or password information was compromised. The stolen data could be weaponized for targeted phishing or follow-on identity-based attacks, as warned by LNER and cybersecurity experts. While the immediate impact is limited to non-critical personal information, the incident highlights risks tied to third-party vendor vulnerabilities. LNER advised customers to remain vigilant against unsolicited communications but did not mandate password resets, emphasizing general password hygiene as a precaution. Security analysts stressed the need for organizations to map data flows to third parties and deploy identity threat detection to mitigate risks from such exposures.

Source: https://www.infosecurity-magazine.com/news/lner-supply-chain-attack-customer/

TPRM report: https://www.rankiteo.com/company/london-north-eastern-railway

"id": "lon3852638100225",
"linkid": "london-north-eastern-railway",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'transportation (rail)',
                        'location': 'United Kingdom',
                        'name': 'London North Eastern Railway (LNER)',
                        'type': 'government-owned rail operator'}],
 'attack_vector': 'third-party supplier compromise',
 'customer_advisories': ['Be cautious of unsolicited communications asking for '
                         'personal information.',
                         'Do not respond to suspicious messages.',
                         'Regularly change passwords as a best practice.'],
 'data_breach': {'data_exfiltration': 'yes',
                 'personally_identifiable_information': 'yes (contact details)',
                 'sensitivity_of_data': 'moderate (potential for phishing but '
                                        'no financial/password data)',
                 'type_of_data_compromised': ['customer contact details',
                                              'previous journey information']},
 'description': 'LNER, the operator of one of the UK’s busiest rail lines, '
                'disclosed that an unauthorized third party accessed customer '
                'details via a supplier. The compromised data includes '
                'customer contact details and some information about previous '
                'journeys, but no bank, payment card, or password information '
                'was affected. The incident poses a risk of follow-on phishing '
                'attacks targeting customers.',
 'impact': {'brand_reputation_impact': 'potential risk due to follow-on '
                                       'phishing attacks',
            'data_compromised': ['customer contact details',
                                 'previous journey information'],
            'identity_theft_risk': 'high (phishing attacks using compromised '
                                   'details)',
            'payment_information_risk': 'none (no bank/payment card data '
                                        'exposed)'},
 'initial_access_broker': {'entry_point': 'third-party supplier systems',
                           'high_value_targets': ['customer contact details',
                                                  'journey information']},
 'investigation_status': 'ongoing (no resolution details provided)',
 'lessons_learned': ['Third-party suppliers pose significant risks to data '
                     'security.',
                     'Regular tabletop exercises and data discovery are '
                     'critical to understanding data flows and protection '
                     'measures.',
                     'End users should harden identities with threat detection '
                     'systems to mitigate risks from stolen information.'],
 'post_incident_analysis': {'root_causes': ['third-party supplier security '
                                            'vulnerability']},
 'recommendations': ['Businesses should conduct regular audits of third-party '
                     'suppliers handling sensitive data.',
                     'Implement identity threat detection and response systems '
                     'for end users.',
                     'Customers should remain vigilant against phishing '
                     'attempts and practice good password hygiene.'],
 'references': [{'source': 'Infosecurity Magazine'},
                {'source': 'LNER Public Disclosure'},
                {'source': 'Huntress Security Analysis (Michael Tigges)'},
                {'source': 'UK Security Minister Dan Jarvis Speech'}],
 'response': {'communication_strategy': ['public disclosure',
                                         'customer warning about unsolicited '
                                         'communications'],
              'remediation_measures': ['customer advisory on phishing risks']},
 'stakeholder_advisories': ['warning about phishing risks',
                            'no password reset required but advised to '
                            'maintain secure passwords'],
 'threat_actor': 'unauthorized third party',
 'title': 'Unauthorized Access to LNER Customer Details via Third-Party '
          'Supplier',
 'type': ['data breach', 'third-party breach']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.