A researcher at Security Discovery has brought to light that user data of those who connected to free Wi-Fi hotspots at several train stations in the UK had been stored in a non-password protected database. The database contained 146 million records which included email addresses, age ranges, the reason for travel, device data, and other logs.
C3UK, which operates the database, restricted public access to the database on Friday, February 14th, the same day that it was reported. The firm did not respond to several of the researcher's emails, though, which sought confirmation that it had received the earlier messages about the issue.
According to Jeremiah Fowler who uncovered the issue, a database of emails like this increases the risk of targetted phishing attacks, he wrote:
“Whenever email addresses are exposed it raises the risk of a targeted phishing attack. The first thing people think of is more annoying spam, but it goes much deeper. Many people use their real name as part of the email address and further expose their personal identities. In this case anyone with an internet connection could see what station the user was at, a time stamp, ads they may have seen, the postcode where they live and much more. Every little piece of information is essentially a puzzle piece that can be used to paint a bigger picture of the user. … This is a wakeup call for companies and users to take every precaution to protect your identity and data when it comes to public or free Wi-Fi.”
As more and more free Wi-Fi hotspots begin to pop up around towns and cities, both providers and consumers will have to start thinking about how to better protect data. For end-users, data can be better secured by using tools such as Jigsaw’s Intra or a Virtual Private Network.