Leaked: 146 million records relating to users of railway Wi-Fi exposed online

An unsecured database has been found online that contains 146 million records about people who have used free Wi-Fi at railway stations in the UK.

The database was discovered by a security researcher on Amazon web services storage. It was found to include personal details such as usernames, dates of birth, email addresses and details of travel arrangements. Network Rail and the service provider C3UK have confirmed the data leak.

See also:

• Hackers leak personal data of 10.6 million MGM Resorts guests
• FCA reveals data breach that exposed personal details of people complaining about UK's financial watchdog
• Samsung admits to data breach unconnected to mysterious Find My Mobile 1 push notification

The exposed database was found online by security researcher Jeremiah Fowler, from Security Discovery, and details of his discovery were shared with the BBC. The broadcaster says that screenshots of the records show that the Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich and London Bridge railway stations were included.

But C3UK is downplaying the leak. The company says the database was a back-up copy that included about 10,000 email addresses, adding:

To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available. Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability.

The database covers the period November 28, 2019 to February 12, 2020, and the researcher who found it says that it was searchable. He voices concerns that the database could be used to determine users' travel patterns, and the fact that among the records were also details of connected devices' software and updates that mean it could be useful for installing malware.

Image credit: lightpoet / DespositPhotos