A free Wi-Fi service at rail stations in the UK exposed the personal information of about 10,000 people, and the provider did not notify authorities because it considered the situation “low-risk,” the BBC reports. Email addresses, dates of birth and travel information were among the details visible in an unprotected database from provider C3UK, which was discovered by security researcher Jeremiah Fowler. Affected stations included Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich, and London Bridge, according to the BBC.
C3UK told the BBC that it secured the database, created between November 28th and February 12th, as soon as Fowler notified the company. C3UK did not notify the Information Commissioner’s Office (ICO), because it said the data had not been stolen or accessed by a third party. The ICO is the UK’s independent regulatory agency that oversees data privacy issues.
“Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability,” the company said. But the ICO told the BBC that it would expect an organization “to consider whether it is appropriate to contact the people affected and to consider whether there are steps that can be taken to protect them from any potential adverse effects.”
Fowler said the database was searchable by user name, which could have allowed anyone with access to track the travel patterns of the people whose information was included.
Network Rail, which manages London Bridge station, said it “strongly suggested” to C3UK that the vulnerability be reported, but told the BBC, “We have been assured by our supplier that this was a low-risk issue and the integrity of people’s information remains fully secure.” Greater Anglia, which runs some of the other affected stations, said it no longer uses C3UK as its free Wi-Fi provider.