The organisation responsible for maintaining 20,000 miles of railway (train tracks etc.), Network Rail, has confirmed that one of their free WiFi hotspot provider’s – C3UK – has suffered a personal data breach that leaked the email addresses and travel details of about 10,000 people online.
The BBC reports that the database, which contained an overall total of 146 million records, was found unprotected (no password) online by Jeremiah Fowler, from Security Discovery, on 14th February 2020. Apparently C3UK secured the database just as soon as their attention had been drawn to it, on the same day, although it took them several days to confirm this to the BBC and they didn’t initially respond to Jeremiah.
According to Jeremiah, the exposed database contained customer email addresses, age range, device data, IP addresses and reasons for travel. The date range of documents appeared to cover the period from 28th November 2019 to 13th February 2020.
Advertisement
As most people know, free WiFi networks often don’t allow you to access them unless you first agree to part with some of your personal details (you can of course fake these in order to limit personal data snooping by companies). On top of that it’s often wise to use a Virtual Private Network (VPN) service when on free WiFi, although this shouldn’t be treated as a total security blanket.
Jeremiah Fowler said:
“The reality is “Free Wifi” is not free when you trade your personal data for it. This exposure is a prime example of what are the potential dangers when exchanging your data for a service. The language of their website clearly implies that the trade off for access to the wifi network is advertising and states “Captive audience monetisation via sponsorship, in-page display advertising and local microsite delivery”. It is unclear if this includes more targeted marketing or advertising such as direct emails.
The records I saw collected a profile of the user that included emails, an age range, and reason for travel, etc. By segmenting users they could potentially try to target them with relevant age based ads based on their login questionnaire. There is no privacy policy on the website so it is unclear if user data is shared with 3rd parties or how long or often they will receive marketing messages. In a screenshot posted on Twitter of the survey users must answer for access it does have the terms of access and a privacy policy, but I could not find any information on the website.
It is unclear how long the C3UK Free Wifi database was exposed or who else may have accessed the records. As security researchers we never circumvent passwords or security protection systems, and we do not download the exposed data we discover.”
In response C3UK said that “to the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available.” The provider said it was a “low-risk potential vulnerability” and noted that their database did not contain any passwords or “other critical data,” such as financial information.
Apparently the unsecured database was found sitting on cloud storage from Amazon Web Services (AWS). In the past there have been similar incidents where other people and companies using AWS have failed to setup the security of their database correctly, leaving them exposed.
Low risk POTENTIAL vulnerability??
The sodding database was left unprotected in an Amazon bucket??? Are they insane??
Are they reporting this to the ICO?
Anyone who thinks email addresses are not critical data does not deserve to hold my email address.
They will be fined but of course it is far too late. Too many organisations implementing WIFI insisting on data capture to offer “free” and a lack of guidance to users. The organisation/company should also be held responsible as well as the service provider as its their brand that is promoted.
The answer as always is to have a non-essential email address(s), not only does it protect against public access issues like this, internet product enquiries and latest barrage of sales counters asking for your email (e.g Halfords).
According to the BBC article about this, C3UK decided not to report the incident to the ICO because the data had not been stolen or accessed. Yet it’s obvious the data was accessed, by the security researchers.
However Network Rail intends to inform the ICO and “strongly suggested” to C3UK that they report it too. Good on them for going public with that statement. It means C3UK can’t plead ignorance of their responsibilities under the law. With any luck, even if C3UK are not fined for their incompetence at handling personal data, they will get fined for consciously ignoring their duty to report the incident and inform users.