A security researcher has discovered a vulnerability that left the personal data of 10,000 UK rail passengers exposed.
C3UK provides free wifi for Network Rail, which operates and maintains the UK’s rail infrastructure, at stations across the UK. But according to researcher Jeremiah Fowler of Security Discovery, it was keeping passenger data on an Amazon Web Services database with no password protection at all.
The database contained around 146 million records including names, dates of birth, email addresses and details of travel arrangements, as well as device data and IP addresses. The data appears to have been collected between the end of last November last year and mid-February this year.
“The records I saw collected a profile of the user that included emails, an age range, and reason for travel, etc. By segmenting users they could potentially try to target them with relevant age-based ads based on their login questionnaire,” says Fowler.
“It is unclear how long the C3UK free wifi database was exposed or who else may have accessed the records.”
Valuable data exposed
C3UK secured the database more or less immediately and has issued a statement pointing out that the data doesn’t appear to have been accessed by any malicious actors, and contained no passwords or other critical data such as financial information.
However, as Fowler points out, it could potentially have been extremely useful in crafting a phishing attack.
“The first thing people think of is more annoying spam, but it goes much deeper. Many people use their real name as part of the email address and further expose their personal identities,” he says.
“In this case, anyone with an internet connection could see what station the user was at, a time stamp, ads they may have seen, the postcode where they live and much more. Every little piece of information is essentially a puzzle piece that can be used to paint a bigger picture of the user.”
Paul Ducklin, a principal research scientist at Sophos, points out that users frequently give away more information than they need to.
“In my opinion, free Wi-Fi isn’t a worthwhile return for handing over your birthday, which is still treated as a factor of identification by many organisations,” he tells Cybernews.
“In this case, it seems that the company did offer a ‘don’t want to give my birthday’ option, which would have been a wise choice – you don’t have to fill in optional fields in web forms, and life is a lot simpler if you routinely leave them blank.”
It’s not the first time that AWS databases have been exposed by admins failing to password protect them. Last year, for example, Mexican media company Cultura Colectiva was found to have exposed a massive 540 million items of Facebook user data.
Of some concern is the fact that C3UK failed to inform users or the Information Commissioner’s Office (ICO), telling the BBC that this was because the data hadn’t actually been stolen, and was unlikely to have been exploited.
It may succeed in this argument. Under the General Data Protection Regulation (GDPR), breaches must be reported to the ICO within 72 hours of being discovered – unless a risk to the public is deemed unlikely. However, many organisations are taking much longer. In its GDPR: One year on report last year, the ICO commented that “it remains a challenge for organisations and DPOs to assess and report breaches within the statutory timescales.”