C3UK exposes 10,000 commuters' data

The unsecured database contained some 146 million records

Rail station wi-fi provider C3UK has exposed the personal data of about 10,000 people who signed up for the free wi-fi service at major commuter hotspots such as Waltham Cross, Harlow Mill, and London Bridge.

C3UK’s database was not password protected, despite containing 146 million records, including contact information and dates of birth.

Security Discovery researcher Jeremiah Fowler discovered that the unsecured database, which according to rthe BBC was sitting on "Amazon Web Services storage". Created between November 2019 and February 2020, it reportedly contained information as specific as the type of software being used by devices connected to the wi-fi. 

“Many of the records I personally saw contained customer email addresses, age range, device data, IP and reason for travel,” Fowler wrote in a blog post. He warned that some of the available information, such as “IP addresses, Ports, Pathways, Build and Version, and Storage information” could be used by hackers to “access deeper into the network”.

BBC reported that the stations affected include Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich and London Bridge, which handles over 50 million customers a year. Network Rail, which manages London Bridge, told the BBC: “We have been assured by our supplier that this was a low-risk issue and the integrity of people's information remains fully secure.”

Fowler said that he reported his findings to C3UK as soon as he realised who was responsible for the data: “Unfortunately, no one replied to my initial notification which is sometimes normal as organizations conduct their internal investigations. On Monday Feb 17th I sent a follow up and then a final message on Thursday Feb 20th that simply asked to acknowledge that my previous messages have been received. These messages also went unanswered.”

He also added that, after the initial silence, the free wi-fi provider “took immediate action" to secure the user data and internal records and restricted public access before he could "fully analyze the millions of records inside the database”.

C3UK, which prides itself on enabling “single sign-on, even in multi-vendor environments”, is the latest business to suffer a cyber security fiasco. Last week, Samsung's UK website experienced a data breach resulting in the leak of private information of around 150 customers.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
How to speed up Microsoft's Windows 11
Microsoft Windows

How to speed up Microsoft's Windows 11

9 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021