A resident of Almere gained remote access to the ticket machines of seven Keolis buses. He succeeded because he saw a TeamViewer ID on a screen and guessed the password ‘1234’.
Melvin Morssink tells Omroep Flevoland that he gained access to payment details of passengers by logging into the ticket machines. According to carrier Keolis, there was no personal information and it is not a data breach. Morssink was also able to disable the machines via TeamViewer.
During a bus ride, Morssink saw the TeamViewer logo on the screen of a ticket machine, along with the ID to log in to the session. He then tried to access the vending machine at home and succeeded with the password 1234. He gained access to the vending machines on more buses by guessing the IDs.
Morssink tells RTL Nieuws that he reported the security problem to Keolis. The carrier responded within two days and offered him a day ticket worth six euros. He did not agree and eventually received a reward of seven hundred euros. Keolis states that the supplier of the vending machines has taken action.