Understandably we are all focused on the growing threat of coronavirus; but that doesn’t mean that other risks have gone away. In particular this week we saw announcements of high-profile data breaches at Network Rail and Virgin Media.
On Monday it emerged that the email addresses and travel details of about 10,000 people who used free wifi at UK railway stations had been exposed online. The database, found on Amazon Web Services by a security researcher, included personal contact details and dates of birth. Then on Thursday it was announced that a database containing details of 900 000 Virgin Media customers and potential customers had been accessible on-line for ten months. Once again this contained phone numbers, home and email addresses. It is believed that neither database contained any passwords or financial details.
Whilst the underlying cause of the incidents appears very similar, failure to properly secure information stored in the cloud; the responses have been quite different. Virgin Media promptly acknowledged that the information was accessed “on at least one occasion”; apologised to customers; and informed the Information Commissioner’s Office (ICO). By contrast the wifi provider to Network Rail, C3UK, stated on Monday that “To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available;” and, based on this, they had chosen not to inform the ICO.
It is not clear if C3UK’s approach has provided much reassurance to passengers who may have been affected. It would appear though that their customers, Network Rail and train operating companies, are not overly impressed. Network Rail have stated that they have contacted the ICO themselves and had “strongly suggested” to C3UK that it considered reporting the vulnerability; and Greater Anglia said it no longer used C3UK to provide its station wifi.