Network Rail and C3UK suffer massive data exposure affecting thousands

Network Rail, the UK railway network covering almost 20,000 miles of railway, have confirmed that personal information of almost 10,000 people was leaked through C3UK- one of their free WIFI hotspot providers.

According to the BBC, the exposed database owned by Network Rail contained 146 million data records, including personal information like email addresses, contact details, and dates of birth of over ten thousand travellers and was not password-protected.

C3UK have confirmed to BBC that as soon as they were made aware of the exposure of sensitive information by Jeremiah Fowler, a security researcher at Security Discovery, they secured the database. "To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available," the company said.

"Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability."

Fowler differs from what C3UK has to comment on the data breach. According to him, the data breach, which took place between 28 November 2019 and 12 February 2020, leaked email addresses, age ranges, the software used by the devices, IP addresses and regular travel patterns of individuals by tracking when their devices were connected to the station open network. He found these details on an unsecured Amazon web service storage.

C3UK offered free Wi-Fi access in exchange for advertising, claims researcher

He told ISP Review that “the reality is “Free Wi-Fi” is not free when you trade your personal data for it. This exposure is a prime example of what are the potential dangers when exchanging your data for a service. The language of their website clearly implies that the trade-off for access to the Wi-Fi network is advertising and states “Captive audience monetisation via sponsorship, in-page display advertising and local microsite delivery”. It is unclear if this includes more targeted marketing or advertising such as direct emails.”

“The records I saw collected a profile of the user that included emails, an age range, and reason for travel, etc. By segmenting users, they could potentially try to target them with relevant age-based ads based on their login questionnaire. There is no privacy policy on the website so it is unclear if user data is shared with 3rd parties or how long or often they will receive marketing messages,” Fowler added.

Network Rail told BBC that their data protection team will contact the ICO to explain the situation and has advised C3UK to report the issue to the cyber security watchdog. They said that there were assured by their open Wi-Fi provider that the data breach was a ‘low-risk’ issue and that the integrity of people's information remains fully secure."

Commenting on the exposure of over 146 million data records including PII of travellers, Terry Greer-King, VP EMEA at SonicWall told TEISS that “because companies collect so much consumer data these days, it is more important than ever that they have the security in place to avoid data loss – the larger or more sensitive a company’s data collection, the bigger target it is and the more risk it has if hit.”

“Exposed personal information is simply too valuable on the Dark Web. As long as stolen data continues to fetch high prices and equip perpetrators with the means necessary to carry out attacks, hold victims ransom, extort information or destroy property, organizations must exhaust all measures to diligently detect and protect their networks, devices and users,” he added.

MORE ABOUT: