C3UK exposes 10,000 commuters' data

The unsecured database contained some 146 million records

Rail station wi-fi provider C3UK has exposed the personal data of about 10,000 people who signed up for the free wi-fi service at major commuter hotspots such as Waltham Cross, Harlow Mill, and London Bridge.

C3UK’s database was not password protected, despite containing 146 million records, including contact information and dates of birth.

Advertisement - Article continues below

Security Discovery researcher Jeremiah Fowler discovered that the unsecured database, which according to rthe BBC was sitting on "Amazon Web Services storage". Created between November 2019 and February 2020, it reportedly contained information as specific as the type of software being used by devices connected to the wi-fi. 

“Many of the records I personally saw contained customer email addresses, age range, device data, IP and reason for travel,” Fowler wrote in a blog post. He warned that some of the available information, such as “IP addresses, Ports, Pathways, Build and Version, and Storage information” could be used by hackers to “access deeper into the network”.

BBC reported that the stations affected include Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich and London Bridge, which handles over 50 million customers a year. Network Rail, which manages London Bridge, told the BBC: “We have been assured by our supplier that this was a low-risk issue and the integrity of people's information remains fully secure.”

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Fowler said that he reported his findings to C3UK as soon as he realised who was responsible for the data: “Unfortunately, no one replied to my initial notification which is sometimes normal as organizations conduct their internal investigations. On Monday Feb 17th I sent a follow up and then a final message on Thursday Feb 20th that simply asked to acknowledge that my previous messages have been received. These messages also went unanswered.”

He also added that, after the initial silence, the free wi-fi provider “took immediate action" to secure the user data and internal records and restricted public access before he could "fully analyze the millions of records inside the database”.

C3UK, which prides itself on enabling “single sign-on, even in multi-vendor environments”, is the latest business to suffer a cyber security fiasco. Last week, Samsung's UK website experienced a data breach resulting in the leak of private information of around 150 customers.

Advertisement

Recommended

Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020