The personal data of 10,000 UK rail passengers has been exposed after a Wi-fi provider left a database unsecured online.
C3UK provides passengers with free Wi-fi at railway stations across the UK. The company admitted failing to secure a database containing user information when contacted by the British Broadcasting Corporation's news team.
The data breach was discovered by security researcher Jeremiah Fowler, who stumbled across the C3UK database while carrying out research online for Security Discovery. Fowler said the database contained 146 million records, including dates of birth, email addresses, and travel plans.
Shockingly, the database was stored on an Amazon Web Services storage device that was not protected by a password and could therefore be viewed by anyone.
Passengers affected by the breach include those who have used free Wi-fi services at Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich, and London Bridge. The database had been created between November 28, 2019, and February 12, 2020.
Fowler sent evidence of his discovery to C3UK on Valentine's Day, 2020. When he didn't receive an immediate response, the researcher sent two follow-up emails over the next six days, warning the company of the data breach.
"When you see that information, you are racing against the clock to get it closed down," said Fowler.
C3UK said that the unsecured database, which it described as a back-up copy, was secured as soon as they were made aware of the breach.
The company downplayed the seriousness of the breach, stating: "Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability."
C3UK said that an internal investigation into the cybersecurity incident indicated that the mistake had been caught and rectified before any data had wound up in the hands of bad actors.
"To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available," it said.
After finding no evidence that the data had been accessed or exfiltrated by other parties, C3UK elected not to report the data breach to the regulatory body, the Information Commissioner's Office (ICO).
The C3UK breach was confirmed by Network Rail, which said it had "strongly suggested" to the company that they report the incident to the ICO.