Rail station wi-fi provider exposed traveller data
The email addresses and travel details of about 10,000 people who used free wi-fi at UK railway stations have been exposed online.
Network Rail and the service provider C3UK confirmed the incident three days after being contacted by BBC News about the matter.
The database, found online by a security researcher, contained 146 million records, including personal contact details and dates of birth.
It was not password protected.
Named railway stations in screenshots seen by BBC News include Harlow Mill, Chelmsford, Colchester, Wickford, Waltham Cross, Norwich and London Bridge.
C3UK said it had secured the exposed database - a back-up copy that included about 10,000 email addresses - as soon as it had been drawn to their attention by researcher Jeremiah Fowler, from Security Discovery.
"To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available," it said.
"Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability."
But Mr Fowler said, based on what he had seen "with [his] own eyes", it appeared to be searchable by username, meaning individuals' regular travel patterns could be gleaned by tracking when they had logged on to each station's wi-fi service.
He found it on unsecured Amazon web services storage.
The database - created between 28 November 2019 and 12 February 2020 - had also revealed software updates and the type of software being used by devices connected to the wi-fi, he said.
"That can provide a secondary pathway for [the installation of] malware," Mr Fowler said.
But he had not downloaded and analysed the entire thing.
"When you see that information, you are racing against the clock to get it closed down," he said.
Mr Fowler contacted C3UK on 14 February and sent two further follow-up emails over the following six days but said he had received no reply.
C3UK said it had chosen not to inform the data regulator, the Information Commissioner's Office (ICO), because the data had not been stolen or accessed by any other party.
The ICO confirmed to BBC News it had not been notified.
"When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected and to consider whether there are steps that can be taken to protect them from any potential adverse effects," it said.
Network Rail has now told the BBC that its own data protection team will contact the ICO to explain its position and advised that it had "strongly suggested" to C3UK that it considered reporting the vulnerability.
On its website, C3UK says it offers its clients "captive audience monetisation via sponsorship, in-page display and local micro-site delivery" and promises "real-time reporting on passenger location, behaviour and content preferences".
Greater Anglia, which runs some of the stations affected, said it no longer used C3UK to provide its station wi-fi.
Network Rail, which manages London Bridge station, said: "We have been assured by our supplier that this was a low-risk issue and the integrity of people's information remains fully secure."
Passengers have to supply their gender and reason for travel in order to use the free wi-fi service at some stations.
The request was queried by a Twitter user in 2018 who logged in at Euston station in London.
The station replied the information was taken "to provide a tailored retail offer and to improve experience" and pointed out there was a "prefer not to say" option.