From Responsible Disclosure to a Damaging Accusation
The swift integration of artificial intelligence into customer service has opened a Pandora’s box of cybersecurity challenges, as one high-speed rail operator recently discovered in a very public and contentious fashion. The rapid adoption of consumer-facing AI has created a new frontier for cybersecurity, one where the lines of communication between security researchers and corporations are more critical than ever. This timeline deconstructs a contentious incident between the security consulting firm Pen Test Partners and the rail operator Eurostar, which began with the discovery of a significant chatbot vulnerability and spiraled into a public accusation of “blackmail.” This case serves as a stark cautionary tale, highlighting how a breakdown in a company’s vulnerability disclosure process can turn a collaborative effort to improve security into a damaging public dispute. It underscores the urgent need for robust security protocols and professional channels for ethical hackers as AI becomes increasingly integrated into our daily lives.
A Timeline of Broken Communication and Escalating Tensions
June 2024 – The Initial Discovery and a Wall of Silence
The story began when researchers at Pen Test Partners identified four distinct vulnerabilities in Eurostar’s public AI chatbot. The flaws were not minor bugs but were rooted in the bot’s fundamental design, creating openings that could allow attackers to inject malicious HTML and even trick the system into leaking its own confidential prompts. Following ethical security practices, the firm compiled its findings and sent its initial report to Eurostar’s official vulnerability disclosure program (VDP) email on June 11. When a week passed with no acknowledgment—not even an automated reply—bug hunter Ross Donald sent a follow-up on June 18. Both attempts at responsible disclosure were met with complete silence, leaving the critical flaws unaddressed and the researchers in the dark.
July 2024 – Escalation and a Dysfunctional Reporting System
Frustrated by the lack of response and concerned that a significant security issue was being ignored, Pen Test Partners’ managing partner, Ken Munro, escalated the matter on July 7. He bypassed the official channels and contacted Eurostar’s head of security directly on LinkedIn. This direct approach finally elicited a response, but in doing so, it also exposed a catastrophic failure in Eurostar’s reporting infrastructure. The security head initially directed Munro back to the same VDP they had already used without success. It was not until July 31, weeks after the initial contact, that the company discovered the cause of the communication breakdown: its VDP had been outsourced, and the old email-based system was retired in favor of a new web form, but without a clear transition plan or any notice to the security community. Pen Test Partners’ report, and potentially others, had been lost in the digital void.
Post-July 2024 – The “Blackmail” Accusation and Public Disclosure
After finally locating the original report that had fallen through the cracks of their defunct system, Eurostar patched “some” of the identified issues. However, the follow-up conversation on LinkedIn took a hostile and unprofessional turn. When Munro expressed his understandable frustration with the convoluted and broken process, stating, “Maybe a simple acknowledgement of the original email report would have helped?” the Eurostar security executive delivered a shocking reply: “Some might consider this to be blackmail.” This baseless and inflammatory accusation shattered the trust between the two parties. For Pen Test Partners, it was the tipping point that prompted them to publish their findings, turning a private security matter into a public lesson on how not to handle vulnerability reports.
The Critical Failures: Flawed Systems and Flawed Responses
The incident was ultimately defined by two significant turning points that compounded an already bad situation. The first was the complete breakdown of Eurostar’s vulnerability disclosure program—a foundational element of modern corporate cybersecurity. Retiring an established reporting channel without a functional, well-communicated replacement created a black hole for critical information, signaling a lack of preparedness for managing security intelligence. The second, and more dramatic, turning point was the “blackmail” accusation. This single comment transformed a procedural failure into a public relations crisis. It alienated the very security researchers who were attempting to help the company secure its systems, demonstrating a profound misunderstanding of the ethical hacking process. The overarching theme is a dangerous disconnect between the rush to deploy new AI technology and the failure to build the mature security infrastructure and professional protocols needed to support it safely.
Dissecting the Vulnerabilities: How the Chatbot Was Compromised
The technical flaws themselves were significant, stemming from a core design problem where the chatbot’s API only validated the most recent message in a conversation. This oversight allowed an attacker to send a benign final message to get an approved signature, then retrospectively edit earlier messages in the chat history to include malicious prompts. This prompt injection method was used to trick the chatbot into revealing its own system prompt—a serious information leak that gives attackers a blueprint for crafting future, more sophisticated exploits.
Furthermore, a separate HTML injection vulnerability allowed researchers to make the chatbot return malicious code, such as a phishing link disguised as a legitimate Eurostar response. An unsuspecting user could easily be deceived into clicking such a link, potentially compromising their credentials or downloading malware. Compounding these issues was the API’s failure to verify conversation and message IDs. This weakness, when combined with the HTML injection flaw, created a plausible path to stored cross-site scripting (XSS). This represents a severe vulnerability where malicious code could be saved on Eurostar’s server and automatically executed in the browsers of other users, leading to widespread account takeovers or data theft.
