C3UK exposes 10,000 commuters' data

The unsecured database contained some 146 million records

Rail station wi-fi provider C3UK has exposed the personal data of about 10,000 people who signed up for the free wi-fi service at major commuter hotspots such as Waltham Cross, Harlow Mill, and London Bridge.

C3UK’s database was not password protected, despite containing 146 million records, including contact information and dates of birth.

Security Discovery researcher Jeremiah Fowler discovered that the unsecured database, which according to rthe BBC was sitting on "Amazon Web Services storage". Created between November 2019 and February 2020, it reportedly contained information as specific as the type of software being used by devices connected to the wi-fi. 

“Many of the records I personally saw contained customer email addresses, age range, device data, IP and reason for travel,” Fowler wrote in a blog post. He warned that some of the available information, such as “IP addresses, Ports, Pathways, Build and Version, and Storage information” could be used by hackers to “access deeper into the network”.

BBC reported that the stations affected include Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich and London Bridge, which handles over 50 million customers a year. Network Rail, which manages London Bridge, told the BBC: “We have been assured by our supplier that this was a low-risk issue and the integrity of people's information remains fully secure.”

Fowler said that he reported his findings to C3UK as soon as he realised who was responsible for the data: “Unfortunately, no one replied to my initial notification which is sometimes normal as organizations conduct their internal investigations. On Monday Feb 17th I sent a follow up and then a final message on Thursday Feb 20th that simply asked to acknowledge that my previous messages have been received. These messages also went unanswered.”

He also added that, after the initial silence, the free wi-fi provider “took immediate action" to secure the user data and internal records and restricted public access before he could "fully analyze the millions of records inside the database”.

C3UK, which prides itself on enabling “single sign-on, even in multi-vendor environments”, is the latest business to suffer a cyber security fiasco. Last week, Samsung's UK website experienced a data breach resulting in the leak of private information of around 150 customers.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Ubiquiti insider says the company downplayed the severity of a major breach
data breaches

Ubiquiti insider says the company downplayed the severity of a major breach

31 Mar 2021
Forex broker FBS leaves millions of customer records exposed
data breaches

Forex broker FBS leaves millions of customer records exposed

25 Mar 2021
Performance benchmark: PostgreSQL/ MongoDB
Whitepaper

Performance benchmark: PostgreSQL/ MongoDB

22 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021