London North Eastern Railway (LNER), the UK train operator serving the East Coast Main Line between London King’s Cross, Edinburgh, and Aberdeen, disclosed in September 2025 that a third-party vendor had been compromised. The breach exposed customer contact details and journey information for affected LNER passengers. LNER notified affected customers and reported the incident to the ICO as required under GDPR/UK GDPR obligations.