Home
 » ISP News » 
Sponsored Links

Network Rail and C3UK Confirm WiFi Personal Data Breach

Monday, Mar 2nd, 2020 (2:40 pm) - Score 2,422
wifi uk internet security

The organisation responsible for maintaining 20,000 miles of railway (train tracks etc.), Network Rail, has confirmed that one of their free WiFi hotspot provider’s – C3UK – has suffered a personal data breach that leaked the email addresses and travel details of about 10,000 people online.

The BBC reports that the database, which contained an overall total of 146 million records, was found unprotected (no password) online by Jeremiah Fowler, from Security Discovery, on 14th February 2020. Apparently C3UK secured the database just as soon as their attention had been drawn to it, on the same day, although it took them several days to confirm this to the BBC and they didn’t initially respond to Jeremiah.

According to Jeremiah, the exposed database contained customer email addresses, age range, device data, IP addresses and reasons for travel. The date range of documents appeared to cover the period from 28th November 2019 to 13th February 2020.

As most people know, free WiFi networks often don’t allow you to access them unless you first agree to part with some of your personal details (you can of course fake these in order to limit personal data snooping by companies). On top of that it’s often wise to use a Virtual Private Network (VPN) service when on free WiFi, although this shouldn’t be treated as a total security blanket.

Jeremiah Fowler said:

“The reality is “Free Wifi” is not free when you trade your personal data for it. This exposure is a prime example of what are the potential dangers when exchanging your data for a service. The language of their website clearly implies that the trade off for access to the wifi network is advertising and states “Captive audience monetisation via sponsorship, in-page display advertising and local microsite delivery”. It is unclear if this includes more targeted marketing or advertising such as direct emails.

The records I saw collected a profile of the user that included emails, an age range, and reason for travel, etc. By segmenting users they could potentially try to target them with relevant age based ads based on their login questionnaire. There is no privacy policy on the website so it is unclear if user data is shared with 3rd parties or how long or often they will receive marketing messages. In a screenshot posted on Twitter of the survey users must answer for access it does have the terms of access and a privacy policy, but I could not find any information on the website.

It is unclear how long the C3UK Free Wifi database was exposed or who else may have accessed the records. As security researchers we never circumvent passwords or security protection systems, and we do not download the exposed data we discover.”

In response C3UK said that “to the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available.” The provider said it was a “low-risk potential vulnerability” and noted that their database did not contain any passwords or “other critical data,” such as financial information.

Apparently the unsecured database was found sitting on cloud storage from Amazon Web Services (AWS). In the past there have been similar incidents where other people and companies using AWS have failed to setup the security of their database correctly, leaving them exposed.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
4 Responses
  1. Avatar photo André says:

    Low risk POTENTIAL vulnerability??
    The sodding database was left unprotected in an Amazon bucket??? Are they insane??
    Are they reporting this to the ICO?

    1. Avatar photo CJ says:

      Anyone who thinks email addresses are not critical data does not deserve to hold my email address.

  2. Avatar photo Meadmodj says:

    They will be fined but of course it is far too late. Too many organisations implementing WIFI insisting on data capture to offer “free” and a lack of guidance to users. The organisation/company should also be held responsible as well as the service provider as its their brand that is promoted.

    The answer as always is to have a non-essential email address(s), not only does it protect against public access issues like this, internet product enquiries and latest barrage of sales counters asking for your email (e.g Halfords).

  3. Avatar photo CJ says:

    According to the BBC article about this, C3UK decided not to report the incident to the ICO because the data had not been stolen or accessed. Yet it’s obvious the data was accessed, by the security researchers.

    However Network Rail intends to inform the ICO and “strongly suggested” to C3UK that they report it too. Good on them for going public with that statement. It means C3UK can’t plead ignorance of their responsibilities under the law. With any luck, even if C3UK are not fined for their incompetence at handling personal data, they will get fined for consciously ignoring their duty to report the incident and inform users.

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Shell Energy UK ISP Logo
Shell Energy £26.99
109Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5472)
  2. BT (3505)
  3. Politics (2524)
  4. Openreach (2291)
  5. Business (2251)
  6. Building Digital UK (2234)
  7. FTTC (2041)
  8. Mobile Broadband (1961)
  9. Statistics (1778)
  10. 4G (1654)
  11. Virgin Media (1608)
  12. Ofcom Regulation (1451)
  13. Fibre Optic (1392)
  14. Wireless Internet (1386)
  15. FTTH (1381)
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon