Wi-Fi provider Exposed Passenger Data at Rail Stations

10,000 passengers have had their email addresses and travel details exposed while using free wi-fi at UK railway stations. Network Rail and service provider C3UK both confirmed the incident three days after being contacted by BBC News about the matter.

The database, found online by a security researcher, contained 146 million records, including personal contact details and dates of birth. It was not password protected.

‘Potential vulnerability’

Named railway stations in screenshots seen by BBC News include Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich and London Bridge.

C3UK said it had secured the exposed database — a back-up copy that included about 10,000 email addresses — as soon as it had been drawn to their attention by researcher Jeremiah Fowler, from Security Discovery. The company said:

To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available, …Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability.

Closed down

But Mr Fowler said, based on what he had seen “with [his] own eyes”, it appeared to be searchable by username, meaning individuals’ regular travel patterns could be gleaned by tracking when they had logged on to each station’s wi-fi service.

He found it on unsecured Amazon web services storage.

The database — created between 28 November 2019 and 12 February 2020 — had also revealed software updates and the type of software being used by devices connected to the wi-fi, he said.

“That can provide a secondary pathway for [the installation of] malware,” Mr Fowler said.

But he had not downloaded and analysed the entire thing.

“When you see that information, you are racing against the clock to get it closed down,” he said.

‘Adverse effects’

Mr Fowler contacted C3UK on 14 February and sent two further follow-up emails over the following six days but said he had received no reply.

C3UK said it had chosen not to inform the data regulator, the Information Commissioner’s Office (ICO), because the data had not been stolen or accessed by any other party.

The ICO confirmed to BBC News it had not been notified. it said.

When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected and to consider whether there are steps that can be taken to protect them from any potential adverse effects,

Network Rail has now told the BBC that its own data protection team will contact the ICO to explain its position and advised that it had “strongly suggested” to C3UK that it considered reporting the vulnerability.

On its website, C3UK says it offers its clients “captive audience monetisation via sponsorship, in-page display and local micro-site delivery” and promises “real-time reporting on passenger location, behaviour and content preferences”.

‘Improve experience’

Greater Anglia, which runs some of the stations affected, said it no longer used C3UK to provide its station wi-fi.

Network Rail, which manages London Bridge station, said: “We have been assured by our supplier that this was a low-risk issue and the integrity of people’s information remains fully secure.”

Passengers have to supply their gender and reason for travel in order to use the free wi-fi service at some stations.

The request was queried by a Twitter user in 2018 who logged in at Euston station in London.

The station replied the information was taken “to provide a tailored retail offer and to improve experience” and pointed out there was a “prefer not to say” option.

Source: BBC News

If you liked this story, check out our Premium Privacy Insights for informative articles on wide-ranging global data privacy issues.

Contact the author
Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Contact Our Team Today
Your confidential, no obligation discussion awaits.