C3UK exposes 10,000 commuters' data

The unsecured database contained some 146 million records

Rail station wi-fi provider C3UK has exposed the personal data of about 10,000 people who signed up for the free wi-fi service at major commuter hotspots such as Waltham Cross, Harlow Mill, and London Bridge.

C3UK’s database was not password protected, despite containing 146 million records, including contact information and dates of birth.

Advertisement - Article continues below

Security Discovery researcher Jeremiah Fowler discovered that the unsecured database, which according to rthe BBC was sitting on "Amazon Web Services storage". Created between November 2019 and February 2020, it reportedly contained information as specific as the type of software being used by devices connected to the wi-fi. 

“Many of the records I personally saw contained customer email addresses, age range, device data, IP and reason for travel,” Fowler wrote in a blog post. He warned that some of the available information, such as “IP addresses, Ports, Pathways, Build and Version, and Storage information” could be used by hackers to “access deeper into the network”.

BBC reported that the stations affected include Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich and London Bridge, which handles over 50 million customers a year. Network Rail, which manages London Bridge, told the BBC: “We have been assured by our supplier that this was a low-risk issue and the integrity of people's information remains fully secure.”

Advertisement - Article continues below
Advertisement - Article continues below

Fowler said that he reported his findings to C3UK as soon as he realised who was responsible for the data: “Unfortunately, no one replied to my initial notification which is sometimes normal as organizations conduct their internal investigations. On Monday Feb 17th I sent a follow up and then a final message on Thursday Feb 20th that simply asked to acknowledge that my previous messages have been received. These messages also went unanswered.”

He also added that, after the initial silence, the free wi-fi provider “took immediate action" to secure the user data and internal records and restricted public access before he could "fully analyze the millions of records inside the database”.

C3UK, which prides itself on enabling “single sign-on, even in multi-vendor environments”, is the latest business to suffer a cyber security fiasco. Last week, Samsung's UK website experienced a data breach resulting in the leak of private information of around 150 customers.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020