Customers have also had their so-called priority points stolen. Now all 1.3 million users must change their passwords.

”We are taking this very seriously; taking measures like these is not something that is done lightly,” says Jan Sjölund, Head of Security at SJ.

The fraud occurred over three weeks ago, between 18 and 20 November. It was only on Wednesday that the company announced the breach had happened.

SJ has identified around 60 customers who have been affected and lost priority points. The points are earned on journeys and can then be used to purchase journeys or goods from the company. The customers have been compensated with the points they lost, according to SJ.

”What we have been able to see so far, it is most likely members who have used the same passwords on other sites that have been affected. The passwords have leaked out and then these fraudsters have been able to use the passwords to get into our site,” says Jan Sjölund.

The passwords have not been leaked from SJ, according to the security manager.

Following the breach, all 1.3 million users with a Priority account at the train company are being forced to change their passwords. All passwords have been deactivated, and the company is sending out emails in the coming days asking users to choose a new one. The company has also closed its points shop for several goods and services.

”These are services where you have goods that are more tradable than others,” says Jan Sjölund, adding that purchasing travel with priority points remains open.

It is unclear when the goods and services can reopen.

He does not want to go into detail about the amounts that have disappeared or how the points have been used by the fraudsters, citing that SJ has reported the incident to the police and that an investigation is underway.

According to SJ, no account card details have been leaked as they are stored encrypted with an external party.

Jan Sjölund states that because the fraudsters logged in with real login details, SJ does not know exactly how many customers have been affected.

”It's impossible for us to see when the person has the correct password. If you notice that points are missing and that there have been transactions you don't recognise, you should contact us,” says the security manager.

He points out that SJ takes the intrusion very seriously and safeguards customer security when they use the company's systems. At the same time, it is difficult to protect oneself when passwords that people use on other sites are leaked, according to Sjölund.

”As a private individual, one should always remember to use a unique password for each website.”

Source: TT