Skip to main content

Network Rail leaked data of free Wi-Fi users

(Image credit: Shutterstock.com / LDprod)

Thousands of rail travellers across the UK may have had their online browsing habits leaked online, researchers have warned.

Users who signed up to use free Wi-Fi networks at multiple stations have been affected, with Network Rail and service provider C3UK confirming the breach of a database containing around 146 million records.

Around 10,000 users are thought to have been affected by the breach, which could have allowed tracking of an individual's travel habits, along with access to personal information including personal contact details and even date of birth.

Free Wi-Fi breach

The database, which was not password-protected, was discovered online by researcher Jeremiah Fowler from consultancy firm Security Discovery. Found on an unsecured Amazon Web Services storage platform, the database appears to have been created between November 28 2019 and February 12 2020.

The affected stations included major travel hubs such as London Bridge, as well as commuter hot-spots such as Chelmsford, Burnham and Norwich.

Fowler said that his research suggested hackers could search the database via username, allowing them to spot individual travel journeys whenever the Wi-Fi connection was completed.

According to the BBC, Fowler alerted C3UK to the breach as soon as it was discovered, but the company took nearly a week to reply. C3UK said that the exposed database, which it claims was a back-up copy, was secured as soon as it had been drawn to their attention.

"To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available," it said.

"Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability."

C3UK added that it would not be informing the Information Commissioner's Office (ICO) about the breach as the data had not been stolen or accessed by any other party.

Via: BBC News