UK-based Network Rail has confirmed that the personal details of commuters using free Wi-Fi at railway stations were exposed online.
According to the BBC, the exposed data includes email addresses and travel histories of around 10,000 people. Internet service provider C3UK has also admitted the leak.
Affected stations include Harlow Mill, Chelmsford, Burnham, Norwich and London Bridge among others.
The confirmation comes after security researcher Jeremiah Fowler found the database containing traveller data on unsecured Amazon web services storage.
The database contained 146 million records and was not password protected. It also included details about the type of software used by connected devices.
Subsequently, C3UK secured the exposed database.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
The internet service provider was quoted as saying: “To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available.”
According to the BBC report, C3UK chose not to inform data regulator Information Commissioner’s Office (ICO) after learning about the leak, as it identified the incident as a ‘low-risk potential vulnerability’.
However, experts believe that the exposed travellers can become a victim of phishing attacks, malware attacks and spamming.
CybSafe CEO Oz Alashe said: “C3UK is just the latest in a long line of organisations that have suffered a data leak as a result of incorrect database configurations.
“In the case of C3UK, the compromised information appears to be limited to email addresses and travel details only.
“Nevertheless, such information could still be leveraged for phishing attacks and targeted spear-phishing attacks.”