Skip to main content

User data on thousands of UK rail passengers accessible online

(Image credit: Image source: Shutterstock/Ai825)

Personal information of around 10,000 people who used free internet at UK railway stations has been found online due to a misconfigured bucket, Network Rail and C3UK have confirmed.

According to the BBC, the bucket was sitting on an misconfigured Amazon Web Services server. It contained more than 146 million records, including dates of birth and contact details.

Edit: An AWS spokesperson clarified that "when configured correctly, AWS S3 buckets are secure by default."

Affected railway stations include: Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich and London Bridge.

C3UK said it had secured the bucket as soon as the lapse was brought to its attention, but downplayed the significance of the finding.

"To the best of our knowledge, this bucket was only accessed by ourselves and the security firm and no information was made publicly available," said C3UK.

"Given the bucket did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability."

But security expert Jeremiah Fowler begs to differ. He claims the bucket was searchable by username, meaning travel patterns could be determined, and added the bucekt could have also been used to determine the type of software being used to access the WiFi.

Network Rail has said its data protection team will contact the ICO to explain its position.

Edit:

An AWS spokesperson reached out to clarify that this was not in fact a leak, but rather a result of a "misconfigured bucket". The terminology has been amended to better reflect what had happened.