Southern California Regional Rail Authority (SCRRA) sent me a letter, the envelope promises me free rail tickets.

Metrolink new resident offer envelope

I had previously filled in a form for USPS to forward my mail to a mail scanning service based near Los Angeles. The post office must have sold the list of people who recently redirect their mail to Southern California to SCRRA. SCRRA wanted to encourage me to travel to work by train, instead of driving (a good thing, in my opinion).

The letter is customized, it shows the location of the metro station closest to my address. They don't mention that it is a 27 minute walk to the station. There is a parking lot at the station, maybe I'm supposed to drive there.

Metrolink new resident offer letter

The second page gives some more information about the Metrolink service.

To claim my tickets I go to http://metrolinktrains.com/newneighbor and enter my reservation number: NR03876. The page redirects to http://scrra.force.com/promotion/NEW.

The form has my name and address. I just have to fill in phone number, e-mail and answer a few questions to claim my free tickets.

What if we try changing the digits in the reservation number? Maybe I could try NR03000 or NR00001. Yes, they both work, I can see the names of addresses of other people who recently forwarded their mail to an address in Southern California.

This is going to make people worry about identity theft. When somebody asks the post office to forward their mail they don't expect their name and new address to be posted on the Internet. The other problem is that the name and address fields are editable. With guessable reservation numbers anybody can claim a free rail ticket promised to somebody else.

SCRRA could fix this by requiring users enter some more information, like their last name and ZIP code along with the reservation number.