A blundering public Wi-Fi provider has inadvertently revealed the personal details of thousands of UK commuters after failing to correctly configure an online file.
Reports suggest that personal details of around 10,000 people could have been openly available online, including their contact details and personal information such as their dates of birth.
146 million records left online unsecured
The security lapse, which was first revealed by the BBC, was confirmed by Network Rail, which manages the UK’s railways infrastructure, and Wi-Fi provider C3UK.
It came to light after a security researcher stumbled upon a database online. The database, which was not password protected, was located on a misconfigured Amazon Web Services (AWS) server.
It was an S3 data bucket which AWS insists are always secure by default when correctly configured. However, this particular data bucket was not correctly configured and, as a result, more than 146 million records were openly available for anyone to search and access.
The security researcher, Jeremiah Fowler, from Security Discovery, found that the database contained around 10,000 email address as well as various pieces of personal information. Stations affected by the breach include London Bridge, Harlow Mill, Chelmsford, Colchester, Wickford, Waltham Cross, and Norwich.
He claims that because the database was searchable by username, it would have been possible to see who was logging on at which station and when. This would have enabled hackers to gain a fairly accurate portrait of individuals travel patterns. The data could have serious personal security consequences.
The database contained information recorded between 28th November 2019 and 12th February 2020 and also included details of devices being used, the type of software those devices were using, and details of software updates.
As Fowler himself pointed out to the BBC, this type of information is particularly sensitive as it can help hackers to plant malware on unsuspecting users devices.
How C3UK responded to the leak
The response of Wi-Fi provider C3UK to the revelation that one of their databases was freely available online has left a lot to be desired.
Fowler first contacted them to tell them about the database via email on 14th February. Over the following six days he sent two further emails but didn’t receive a single response.
When the BBC contacted both C3UK and Network Rail, it took them a further three days to respond.
In a statement, C3UK then said, “To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available… Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability.”
Given that Fowler has already explained how the data was not only publicly available but also searchable, this statement appears naïve at best and willfully misleading at worst. It will certainly do little to reassure commuters that pass through affected stations.
Even more astonishing is C3UK’s decision not to inform the Information Commissioners Office of this breach. That appears to be highly irresponsible and it is a relief that Network Rail has informed that BBC that it will do so and it has “strongly advised” C3Uk to reverse this particular decision.
How to stay safe when using public Wi-Fi in train stations
If you still commute through those stations affected by this data breach, you can breathe a little easier as Greater Anglia, which runs all the affected stations, has confirmed that it no longer uses C3UK as its Wi-Fi provider.
But there is always the risk that other providers could be similarly lax with your private information, so what can you do to stay safe when using such networks.
The first thing is to always connect to a VPN when using any form of public Wi-Fi. This keeps all of your online data encrypted and secure and means that the data held by companies such as C3UK about you is minimal and does not include your online histories.
This is especially important if you are doing sensitive things on public Wi-Fi as these networks offer no security whatsoever and it could be possible for even a novice hacker to see what you're doing in some limited cases.
However, most public Wi-Fi networks will also require you to sign up and provide some personal information in order to access their service in the first place.
Our advice would always be to use fake information to do this. It is good practice to have an anonymous webmail service set up to use for registration to services like this.
Few public Wi-Fi networks will check the information you provide, so you can use a fake name and date of birth without fear of reprisals. Never enter information you don’t have to and don’t reuse passwords from other online services either.
If you take these steps, you should be able to use railway Wi-Fi without having to worry about your online privacy and security. But as this lapse by C3UK shows, if you don’t take these precautions, your data can always be put at risk.