On February 14th I discovered a non-password protected database that contained a massive amount of records totaling 146 million. Upon further review I was able to see connections to what appeared to be free wifi details in major UK train stations. I could see a large amount of records that contained email addresses, age ranges, what was the reason for their travel, device data, and other internal logs. There were references to a company called C3UK inside the database and multiple domains that contained some form of the name C3.
Once I was able to validate who owned the database, I immediately sent a responsible disclosure notice by email to C3UK alerting them to the exposure. There was no phone number and only a single email address listed on the website. It really is a race against the clock when it comes to when it comes to data protection and the faster public access is restricted the lower the chances are of data theft or having the dataset wiped out by ransomware. We discovered this database on a Friday and there was a serious concern that these records would be exposed all weekend and no one would see the email until Monday.
One of the records indicated the London Bridge Station that is operated by Network Rail. I called Network Rail and they were extremely professional and tried to get me to the correct department, but could not provide me with any direct contacts to C3UK. The agent took my information and said it would be passed on but no one from C3UK ever reached out or replied. There were multiple station names listed that were operated by Greater Anglia, but once again access was closed before I could get a complete count of stations.
Not long after sending the notice C3UK acted fast and restricted public access to the database on Friday Feb 14th. Unfortunately, no one replied to my initial notification which is sometimes normal as organizations conduct their internal investigations. On Monday Feb 17th I sent a follow up and then a final message on Thursday Feb 20th that simply asked to acknowledge that my previous messages have been received. These messages also went unanswered.
Here is what was discovered
- Many of the records I personally saw contained customer email addresses, age range, device data, IP and reason for travel
- Internal logs regarding the system, errors, and records that should not be exposed online.
- 146 Million Records in total (not all of these had user info)
- The date range of documents appears to be from 11/28/2019 – 2/13/20
- IP addresses, Ports, Pathways, Build and Version, and Storage information that cyber criminals could potentially exploit to access deeper into the network.
What is the danger?
Whenever email addresses are exposed it raises the risk of a targeted phishing attack. The first thing people think of is more annoying spam, but it goes much deeper. Many people use their real name as part of the email address and further expose their personal identities. In this case anyone with an internet connection could see what station the user was at, a time stamp, ads they may have seen, the postcode where they live and much more. Every little piece of information is essentially a puzzle piece that can be used to paint a bigger picture of the user.
Today, data is just as valuable as any product or service and companies who collect and store user data must do more to protect it. It is unclear exactly how many “user” email addresses were exposed because I reported it as soon as I discovered the suspected owner. On a positive note C3UK took immediate action to secure their user data and internal records and restricted public access before I could fully analyze the millions of records inside the database.
Nothing for Free?
The reality is “Free Wifi” is not free when you trade your personal data for it. This exposure is a prime example of what are the potential dangers when exchanging your data for a service. The language of their website clearly implies that the trade off for access to the wifi network is advertising and states “Captive audience monetisation via sponsorship, in-page display advertising and local microsite delivery”. It is unclear if this includes more targeted marketing or advertising such as direct emails.
It is unclear how long the C3UK Free Wifi database was exposed or who else may have accessed the records. As security researchers we never circumvent passwords or security protection systems, and we do not download the exposed data we discover. We take 10-15 screenshots strictly for verification purposes and securely delete them per our own internal data protection policies. In this discovery anyone with an internet connection and a free Chrome browser extension could have accessed this data with no specialized tools or knowledge.
As part of our responsible disclosure process we extend our assistance to organizations to help them understand how we discovered the data, any IP addresses used, time ranges, or answering any questions that may help their internal investigation process. This assistance is free of charge and much of the research we do is not-for-profit or funded by bug bounties and discovery rewards. We follow a responsible disclosure model and our mission is data protection, raising awareness, and highlighting best practices.
For more information see BBC‘s coverage: