SNCB Europe data leak involves more than one million customers

Brussels, 23 December 2012 - For several weeks, personal details of more than one million customers of the train company SNCB Europe were available on-line. Although the exact search terms that lead to the original disclosure are unknown, these data were indeed accessible via a simple query in a search engine.

On 22 December, a user of the forum ADSL-BC reported his discovery with amazement. He was able to access a data base of millions SNCB Europe customers with a random query in a search engine. It contained names, surnames, civility, email addresses and, in some cases, postal addresses and phone numbers. After a few replies and recommendations, the user deleted the URL to ensure that it did not suffer wider exposure.

Screenshot of the leaked file

File size: 181.6 Mo
Amount of items in the list: 1,460,735

Headers: CUST_ID, CONTACT_STATE, ACTIVE, DISTRIBUTOR, CUST_TYPE, GENDER, FIRSTNAME, LASTNAME, BIRTHDATE LOGON_ID, REGISTERED, CONTACT_LANGUAGE, CONTACT_LANGUAGE_XX, STREET, HOUSE_NR, ADDITIONAL_NR, POSTAL_CODE, CITY, COUNTRY, PRIVATE_FIXED_TELEPHONE, PRIVATE_MOBILE_TELEPHONE, BUSINESS_TELEPHONE, EMAIL.

When the headers are subtracted from the table, there are 1,460,734 items remaining. Each line corresponds to a SNCB Europe customer.

Contrary to what the spokesman of SNCB Europe stated yesterday, a file available on the Internet is not "private" simply because its address (URL) is not revealed. Any file and any information that is accessible on the Internet is de facto public if its access is not restricted by an authentication mechanism. In the present case, nothing restricted the access to the file.

Ironically enough, SNCB Europe has always had a bad policy on open data 1 : it has, for instance, systematically blocked any attempt by users to develop applications for mobile devices to allow easy (and free) consultation of train schedules. In the meantime, however, the company permitted an easy access to personal data of more than one million users.

"Contrary to the statement of the SNCB Europe spokesperson, the person who revealed the information did not use any trick to access the file. The data base containing 1,460,734 customers was freely accessible via a trivial query on a search engine. This management of personal data is shockingly irresponsible. The SNCB made no effort whatsoever to ensure that these data are inaccessible to the public and failed in its duty to protect its customers’ personal data." says André Loconte, spokesman of NURPA.

Affected users may bring the case before the Belgian CPP.

Notes

1 : see « iRail » NPO press review "iRail being forced to cease and desist (& continuing)"