• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Security » Network Rail data leak highlights free wifi risk

Network Rail data leak highlights free wifi risk

by Emma Woollacott
4 March 2020
in Security
0
red broken wifi sign
0
SHARES

A security researcher has discovered a vulnerability that left the personal data of 10,000 UK rail passengers exposed.

C3UK provides free wifi for Network Rail, which operates and maintains the UK’s rail infrastructure, at stations across the UK. But according to researcher Jeremiah Fowler of Security Discovery, it was keeping passenger data on an Amazon Web Services database with no password protection at all. 

The database contained around 146 million records including names, dates of birth, email addresses and details of travel arrangements, as well as device data and IP addresses. The data appears to have been collected between the end of last November last year and mid-February this year. 

“The records I saw collected a profile of the user that included emails, an age range, and reason for travel, etc. By segmenting users they could potentially try to target them with relevant age-based ads based on their login questionnaire,” says Fowler. 

“It is unclear how long the C3UK free wifi database was exposed or who else may have accessed the records.”

Valuable data exposed

C3UK secured the database more or less immediately and has issued a statement pointing out that the data doesn’t appear to have been accessed by any malicious actors, and contained no passwords or other critical data such as financial information. 

However, as Fowler points out, it could potentially have been extremely useful in crafting a phishing attack. 

“The first thing people think of is more annoying spam, but it goes much deeper. Many people use their real name as part of the email address and further expose their personal identities,” he says. 

“In this case, anyone with an internet connection could see what station the user was at, a time stamp, ads they may have seen, the postcode where they live and much more. Every little piece of information is essentially a puzzle piece that can be used to paint a bigger picture of the user.”

Paul Ducklin, a principal research scientist at Sophos, points out that users frequently give away more information than they need to.

“In my opinion, free Wi-Fi isn’t a worthwhile return for handing over your birthday, which is still treated as a factor of identification by many organisations,” he tells Cybernews.

“In this case, it seems that the company did offer a ‘don’t want to give my birthday’ option, which would have been a wise choice – you don’t have to fill in optional fields in web forms, and life is a lot simpler if you routinely leave them blank.”

It’s not the first time that AWS databases have been exposed by admins failing to password protect them. Last year, for example, Mexican media company Cultura Colectiva was found to have exposed a massive 540 million items of Facebook user data.

GDPR implications

Of some concern is the fact that C3UK failed to inform users or the Information Commissioner’s Office (ICO), telling the BBC that this was because the data hadn’t actually been stolen, and was unlikely to have been exploited.

It may succeed in this argument. Under the General Data Protection Regulation (GDPR), breaches must be reported to the ICO within 72 hours of being discovered – unless a risk to the public is deemed unlikely. However, many organisations are taking much longer. In its GDPR: One year on report last year, the ICO commented that “it remains a challenge for organisations and DPOs to assess and report breaches within the statutory timescales.”

ShareTweetShareShare

Related Posts

Nohow International leaks sensitive worker data

12,000+ workers’ IDs, banking details, and other personal data leaked by UK staffing agency

19 January 2021
Telegram app on mobile

Watch out: there’s a new Telegram scam about

15 January 2021
Email icon on laptop screen

How phishing attacks are evolving and why you should care

14 January 2021
Ransom message on laptop screen

Why ransomware attacks will explode in 2021

12 January 2021
Next Post
OKCupid leaks user's locations

Popular dating app leak puts millions of women at risk

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    82782 shares
    Share 82771 Tweet 0
  • ProtonMail review: have we found the most secure email provider in 2021?

    60 shares
    Share 60 Tweet 0
  • Best alternatives to Gmail to protect your privacy

    407 shares
    Share 407 Tweet 0
  • The ultimate guide to safe and anonymous online payment methods in 2021

    13 shares
    Share 13 Tweet 0
  • Bitwarden Review

    0 shares
    Share 0 Tweet 0
Parler partially reappears with support from Russian technology firm

Parler partially reappears with support from Russian technology firm

19 January 2021
Nohow International leaks sensitive worker data

12,000+ workers’ IDs, banking details, and other personal data leaked by UK staffing agency

19 January 2021
Facebook logo on a keyboard

Hungary mulls sanctions against social media giants

18 January 2021
Hackers leverage sophisticated and novel techniques to break into networks

Hackers leverage sophisticated and novel techniques to break into networks

18 January 2021
Health tracking on mobile

Is it healthy to track your fitness and wellbeing?

18 January 2021
Huawei logo display

Trump admin slams China’s Huawei, halting shipments from Intel, others

18 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • In the News
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!