C3UK exposes 10,000 commuters' data

The unsecured database contained some 146 million records

Rail station wi-fi provider C3UK has exposed the personal data of about 10,000 people who signed up for the free wi-fi service at major commuter hotspots such as Waltham Cross, Harlow Mill, and London Bridge.

C3UK’s database was not password protected, despite containing 146 million records, including contact information and dates of birth.

Security Discovery researcher Jeremiah Fowler discovered that the unsecured database, which according to rthe BBC was sitting on "Amazon Web Services storage". Created between November 2019 and February 2020, it reportedly contained information as specific as the type of software being used by devices connected to the wi-fi. 

“Many of the records I personally saw contained customer email addresses, age range, device data, IP and reason for travel,” Fowler wrote in a blog post. He warned that some of the available information, such as “IP addresses, Ports, Pathways, Build and Version, and Storage information” could be used by hackers to “access deeper into the network”.

BBC reported that the stations affected include Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich and London Bridge, which handles over 50 million customers a year. Network Rail, which manages London Bridge, told the BBC: “We have been assured by our supplier that this was a low-risk issue and the integrity of people's information remains fully secure.”

Fowler said that he reported his findings to C3UK as soon as he realised who was responsible for the data: “Unfortunately, no one replied to my initial notification which is sometimes normal as organizations conduct their internal investigations. On Monday Feb 17th I sent a follow up and then a final message on Thursday Feb 20th that simply asked to acknowledge that my previous messages have been received. These messages also went unanswered.”

He also added that, after the initial silence, the free wi-fi provider “took immediate action" to secure the user data and internal records and restricted public access before he could "fully analyze the millions of records inside the database”.

C3UK, which prides itself on enabling “single sign-on, even in multi-vendor environments”, is the latest business to suffer a cyber security fiasco. Last week, Samsung's UK website experienced a data breach resulting in the leak of private information of around 150 customers.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Ubiquiti insider says the company downplayed the severity of a major breach
data breaches

Ubiquiti insider says the company downplayed the severity of a major breach

31 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021