Home
 » ISP News » 
Sponsored

Network Rail and C3UK Confirm WiFi Personal Data Breach

Monday, March 2nd, 2020 (2:40 pm) - Score 2,038
wifi uk internet security

The organisation responsible for maintaining 20,000 miles of railway (train tracks etc.), Network Rail, has confirmed that one of their free WiFi hotspot provider’s – C3UK – has suffered a personal data breach that leaked the email addresses and travel details of about 10,000 people online.

The BBC reports that the database, which contained an overall total of 146 million records, was found unprotected (no password) online by Jeremiah Fowler, from Security Discovery, on 14th February 2020. Apparently C3UK secured the database just as soon as their attention had been drawn to it, on the same day, although it took them several days to confirm this to the BBC and they didn’t initially respond to Jeremiah.

According to Jeremiah, the exposed database contained customer email addresses, age range, device data, IP addresses and reasons for travel. The date range of documents appeared to cover the period from 28th November 2019 to 13th February 2020.

As most people know, free WiFi networks often don’t allow you to access them unless you first agree to part with some of your personal details (you can of course fake these in order to limit personal data snooping by companies). On top of that it’s often wise to use a Virtual Private Network (VPN) service when on free WiFi, although this shouldn’t be treated as a total security blanket.

Jeremiah Fowler said:

“The reality is “Free Wifi” is not free when you trade your personal data for it. This exposure is a prime example of what are the potential dangers when exchanging your data for a service. The language of their website clearly implies that the trade off for access to the wifi network is advertising and states “Captive audience monetisation via sponsorship, in-page display advertising and local microsite delivery”. It is unclear if this includes more targeted marketing or advertising such as direct emails.

The records I saw collected a profile of the user that included emails, an age range, and reason for travel, etc. By segmenting users they could potentially try to target them with relevant age based ads based on their login questionnaire. There is no privacy policy on the website so it is unclear if user data is shared with 3rd parties or how long or often they will receive marketing messages. In a screenshot posted on Twitter of the survey users must answer for access it does have the terms of access and a privacy policy, but I could not find any information on the website.

It is unclear how long the C3UK Free Wifi database was exposed or who else may have accessed the records. As security researchers we never circumvent passwords or security protection systems, and we do not download the exposed data we discover.”

In response C3UK said that “to the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available.” The provider said it was a “low-risk potential vulnerability” and noted that their database did not contain any passwords or “other critical data,” such as financial information.

Apparently the unsecured database was found sitting on cloud storage from Amazon Web Services (AWS). In the past there have been similar incidents where other people and companies using AWS have failed to setup the security of their database correctly, leaving them exposed.

Leave a Comment
4 Responses
  1. Avatar André says:

    Low risk POTENTIAL vulnerability??
    The sodding database was left unprotected in an Amazon bucket??? Are they insane??
    Are they reporting this to the ICO?

    1. Avatar CJ says:

      Anyone who thinks email addresses are not critical data does not deserve to hold my email address.

  2. Avatar Meadmodj says:

    They will be fined but of course it is far too late. Too many organisations implementing WIFI insisting on data capture to offer “free” and a lack of guidance to users. The organisation/company should also be held responsible as well as the service provider as its their brand that is promoted.

    The answer as always is to have a non-essential email address(s), not only does it protect against public access issues like this, internet product enquiries and latest barrage of sales counters asking for your email (e.g Halfords).

  3. Avatar CJ says:

    According to the BBC article about this, C3UK decided not to report the incident to the ICO because the data had not been stolen or accessed. Yet it’s obvious the data was accessed, by the security researchers.

    However Network Rail intends to inform the ICO and “strongly suggested” to C3UK that they report it too. Good on them for going public with that statement. It means C3UK can’t plead ignorance of their responsibilities under the law. With any luck, even if C3UK are not fined for their incompetence at handling personal data, they will get fined for consciously ignoring their duty to report the incident and inform users.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Onestream £22.49 (*29.99)
    Avg. Speed 45Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*36.52)
    Avg. Speed 36Mbps, Unlimited
    Gift: £55 Reward Card
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. FTTP (2822)
  2. BT (2794)
  3. FTTC (1794)
  4. Building Digital UK (1760)
  5. Politics (1689)
  6. Openreach (1643)
  7. Business (1456)
  8. FTTH (1341)
  9. Statistics (1253)
  10. Mobile Broadband (1253)
  11. 4G (1079)
  12. Fibre Optic (1072)
  13. Wireless Internet (1036)
  14. Ofcom Regulation (1029)
  15. Virgin Media (1021)
  16. EE (711)
  17. Vodafone (682)
  18. Sky Broadband (676)
  19. TalkTalk (674)
  20. 5G (536)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact