London North Eastern Railway (LNER) has confirmed that some customer details were exposed during a recent cyber security incident linked to one of its third-party suppliers.
The breach, which took place on 8 September 2025, involved unauthorised access to a supplier’s network responsible for managing LNER’s customer communications. The company has since begun contacting affected passengers directly.
The incident adds to a growing list of data breaches across UK transport and infrastructure companies this year, raising questions about how safely passenger data is being shared and stored by contractors.
What information was exposed?
According to LNER, the data accessed included customer names and email addresses. The firm says no passwords, bank details or payment card information were compromised, and ticketing systems remain secure.
In an email to affected customers, LNER stated that it has been working with independent security experts to investigate the breach and strengthen its defences.
However, the company urged vigilance, warning that those impacted should stay alert to the risk of phishing emails or scam messages that appear to come from LNER.
“Emails from LNER will always end in @lner.co.uk or @email.lner.co.uk,” the company said. “If you’re in doubt, don’t click on any links or attachments, and contact us directly at [email protected].”
How did the breach happen?
The attack was traced back to a supplier managing LNER’s customer database, where hackers gained unauthorised access to network systems. The incident highlights the growing risk of third-party breaches, where vulnerabilities in a supplier’s systems are exploited to access data held by large organisations.
LNER says it has now introduced enhanced security controls and is working closely with the supplier to minimise the risk of similar incidents happening again.
Under the UK GDPR, companies that share customer data with third-party providers remain legally responsible for how that data is handled. This includes ensuring those suppliers have appropriate security and compliance measures in place. If they don’t, the organisation that collected the data — in this case LNER — could still be held accountable.
What passengers should do
If you’ve received an email from LNER confirming your details were affected, you should:
- Be cautious of emails claiming to be from LNER or related services
- Avoid clicking links or downloading attachments unless you’re certain they’re legitimate
- Change passwords regularly, particularly if you use the same one across multiple sites.
- Report suspicious emails to the National Cyber Security Centre’s reporting service at [email protected].
Even when financial details aren’t exposed, stolen names and emails can still be used for targeted scams, especially when combined with data from previous breaches. These details can help fraudsters impersonate trusted companies or craft convincing phishing attempts.
You can find more tips on how to stay safe after a data breach in our handy guide.
Holding organisations accountable
Incidents like this highlight how vulnerable consumers remain when companies rely on external suppliers to manage their data. While no financial details were involved this time, the exposure of personal information still represents a serious breach of trust.
Speaking on Reddit, one user said:
If your information was exposed in this breach and LNER failed to meet its data protection obligations, you may have grounds to join a data breach claim.
Join the Claim connects consumers with SRA-regulated lawyers. You can check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, simply register your interest, and we’ll keep you informed if a partner firm decides to take a claim forward.
