Major data leak at the Belgium railway company
This article is also available in:
Deutsch: Schwere Datenpanne bei der belgischen Bahn
At the end of December 2012, the personal data of more than one million customers of the Belgian train company SNCB Europe were available on-line, at a simple query in a search engine. The data contained in the SNCB database included names, email addresses and even, in some cases, phone numbers and home addresses. The forum user having discovered the link to the database, after having reported his discovery, deleted the address (URL) from the forum post to avoid further exposure.
On 22 December 2012, a spokesman of SNCB Europe stated that a file available on the Internet was private, as its URL was not revealed. Actually, any information accessible on the Internet is public if it is not restricted by an authentication mechanism.
"Contrary to the statement of the SNCB Europe spokesperson, the person who revealed the information did not use any trick to access the file. The data base containing 1,460,734 customers was freely accessible via a trivial query on a search engine. This management of personal data is shockingly irresponsible. The SNCB made no effort whatsoever to ensure that these data are inaccessible to the public and failed in its duty to protect its customers' personal data." said André Loconte, spokesman of EDRi Observer NURPA (Net Users' Rights Protection Association).
Furthermore, the Belgium company has not yet informed the people affected by this leak as, unfortunately, there is no Belgian law imposing the notification obligation in such cases.
According to CPVP (the Belgian data protection commission) which receives privacy complaints, in order to find out whether one is on the leaked database, the respective user must send a letter to SNCB with a copy of his/her identity document.
NURPA has created a free software application allowing interested Internet users to fill up a questionnaire to generate the necessary mails in order to obtain the information concerning the presence of their personal data in the respective database. The application also permits users to submit complaints to CPVP and to oppose the use and exploitation of their personal data. CPVP has launched an investigation having already received more than 1700 complaints at the level of the first week of January 2013.
SNCB Europe data leak involves more than one million customers (23.12.2013)
Hermes : simplify your actions within « SNCBgate » (only in French,
Hermes - SNCB Europe leaked your personal data
Second-class service (10.01.2013)