York-based train operator LNER has confirmed that some customer information was accessed following a data breach involving one of its external suppliers. The incident, identified on 8 September 2025, affected the supplier responsible for managing the company’s customer communication database.
An unauthorised third party gained access to the supplier’s systems, exposing limited customer data such as names and email addresses. LNER’s internal systems, including ticketing and payment platforms, remain unaffected and fully operational.
The company has reported the breach to the Information Commissioner’s Office, the National Cyber Security Centre, British Transport Police, and the Department for Transport. Independent security specialists have been brought in to strengthen the supplier’s defences and prevent similar incidents.
LNER has temporarily paused certain communication channels while the investigation continues and has advised customers to remain vigilant for possible phishing attempts. It has also provided a dedicated contact point for anyone seeking verification of messages that appear to come from the company.
The breach underscores the cybersecurity challenges facing transport operators reliant on third-party data processors and highlights the growing importance of robust supplier security management within critical infrastructure networks.
