The email addresses and travel details of up to 10,000 UK commuters have been exposed after they accessed the free Wi-Fi at train stations.
As the BBC reports, Network Rail and service provider C3UK say a database of 146 million records, including personal contact details and dates of birth, was found on an Amazon Web Services storage with no password protection.
C3UK secured the database after it was alerted to the exposure by Jeremiah Fowler from Security Discovery. “To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available. Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability,” C3UK tells the BBC.
However, Fowler says the database appeared to be searchable by username, so individuals’ travel patterns could be figured out by checking when they had logged on to each station’s Wi-Fi network. Named stations included Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich, and London Bridge.
Fowler also said that such a vulnerability could “provide a secondary pathway for [the installation of] malware,” but that he had not analyzed the entire database because it was a “[race] against the clock to get it closed down.” Fowler contacted C3UK on Feb. 14 received no reply for six days despite sending follow-up emails.
C3UK did not inform the UK’s data regulator, the Information Commissioner’s Office (ICO), because user information was not stolen or accessed by third parties. Network Rail told the BBC that its data protection team had “strongly suggested” to C3UK that it report the vulnerability.
“When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected and to consider whether there are steps that can be taken to protect them from any potential adverse effects,” the ICO said.
C3UK is not the only vendor that has failed to password protect its AWS database. Last month, thousands of plastic surgery patients had their before-and-after photos accidentally exposed on the internet due to an unprotected server. And last year, researchers found an open database with over 540 million Facebook records, including comments, likes, reactions and user names.