UK Railway Station WiFi Exposed Travel Details of 10,000 Users

BBC revealed a database exposure caused by free rail station WiFi in the UK.  Network Rail, the owner and manager of most of the UK’s railway networks, and the WiFi service provider C3UK confirmed this exposure. Thousands of commuters’ personal details were made public without password protection.  

Who discovered the publicly available database?

It was found by Jeremiah Fowler, a security researcher from Security Discovery, that the database was stored on Amazon Web Services (AWS) server, unprotected.  

How many passengers were affected? (Who was affected?)

According to BBC, around 10,000 people who used free WiFi networks at Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich, and London Bridge were affected. Among these affected stations, London Bridge is one of the major travel hubs.  

What kind of information does the database contain?

The exposed database stores more than 146 million records, including email addresses, usernames, birthdates, IP addresses, travel details and so on.

Potential risks caused by this unprotected database:

The leaked data includes 10,000 email addresses, which exposes the users to unwanted marketing emails or malicious phishing emails.

Besides, more information is accessible because the database is open to access and search by username, which makes these users more vulnerable to phishing attacks.

What’s worse, software on devices used to connect the free WiFi was also accessible. Hackers can exploit this information to infect these users’ devices with malware.  

Who is responsible for this security issue?

By default, the database stored on AWS ought to be secure. However, C3UK didn’t configure it correctly. C3UK, the Internet service provider of the free railway networks, is responsible for this security issue.  

How about the official response?

“To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available.”

Fowler contacted C3UK three times via email and received no responses.

C3UK claimed to had taken action to solve the security issue soon after it was notified. And it didn’t notify Jeremiah Fowler that the exposed database was secured.   

“Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability.”

Taken this issue as a low-risk potential vulnerability and found no signs that any third party had stolen or accessed, C3UK decided no to report this database exposure to the Information Commissioner’s Office (ICO).  

While Network Rail said it would inform the ICO. Greater Anglia, the owner and manager of most of the UK’s railway networks, made a decision to stop C3UK from offering railway WiFi to stations.  

How to avoid data breaches caused by public WiFi?

Although the database is secured now and the stations will switch to other service providers, there are always security risks on public WiFi. In the following part, we are going to tell you how to avoid data breaches caused by public WiFi.

1. Stay away from public WiFi

Obviously, the most effective way is to avoid using public WiFi. It is dangerous to use public WiFi in public places such as coffee shops, airports, railway stations, etc. Public WiFi is the hotbed for hackers and cybercriminals. They can perform attacks to any member of the same public WiFi with ease. When you go out, turn off the WiFi on your phone in case you connect to public WiFi unintentionally. As long as you don’t use it, you won’t suffer data breaches from unreliable free WiFi.

2. Use fake login information

Sometimes there is no other choice but free public WiFi, and you need access to the Internet. If that’s the case, you are strongly recommended to use fake information to log in if needed when connecting to the WiFi. At the same time, you should avoid account login and others that may reveal your privacy.

3. Always connect to a VPN

A VPN service builds a secure tunnel between you and the WiFi. You can stay secure and anonymously online while connecting to the public WiFi. So, you have no worry about data breaches.

The best VPN to stay safe on public WiFi is RitaVPN. RitaVPN not only secures your data traffic with military-grade encryption but also hides your IP address from online spies. In addition, RitaVPN keeps a strict zero-logs policy. It means that no one will see your online activities, such as what sites you visit, what video you watch or what files you download.

Therefore, if you want to keep yourself secure when connecting to public WiFi, RitaVPN is the best option for you to surf the Internet without any cybersecurity risks.

Bottom line

It is safer to stay away from public WiFi. But inevitable uses of WiFi require you to take extra protection. It is risky to use public WiFi. So, you’d better use a VPN which builds a secure tunnel between you and the Internet. RitaVPN is an easy-to-use VPN that protects you from potential risks on the Internet. Visit https://www.ritavpn.com/ for more information about RitaVPN.