| Recurring |
unknown |
(a) The software failure incident having happened again at one_organization:
- The article does not mention any previous incidents of a similar nature happening again within the same organization [97490].
(b) The software failure incident having happened again at multiple_organization:
- The article does not mention any previous incidents of a similar nature happening again at other organizations [97490]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident in the article was related to the design phase. The incident occurred due to a database containing personal contact details and travel information of about 10,000 people being exposed online. The database was found to be unsecured and not password protected, making it vulnerable to unauthorized access [97490]. Additionally, the database revealed software updates and the type of software being used by devices connected to the wi-fi, which could potentially lead to the installation of malware [97490].
(b) The software failure incident in the article was also related to the operation phase. The incident involved the misuse of the system, as the exposed database could be searched by username, allowing individuals' regular travel patterns to be tracked based on their wi-fi logins at various railway stations. This misuse of the system could have adverse effects on the privacy and security of the individuals affected [97490]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident in this case was primarily within the system. The incident involved the exposure of sensitive traveler data due to a database containing personal contact details and travel information being left unprotected by the wi-fi service provider C3UK [97490]. The database was accessible online and contained records of individuals' travel patterns, software updates, and the type of software used by devices connected to the wi-fi service. This vulnerability was identified as a low-risk potential vulnerability by C3UK, but it still posed a threat as it could potentially allow for the installation of malware through the software updates and information revealed in the database [97490]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in this case was primarily due to non-human actions. The incident involved the exposure of traveler data from UK railway stations due to an unsecured database found online by a security researcher. The database, containing personal contact details and dates of birth of about 10,000 people, was not password protected and was accessible on unsecured Amazon web services storage. This vulnerability was identified as a low-risk potential vulnerability, and the database did not contain critical data such as passwords or financial information. The incident was discovered by the security researcher, Jeremiah Fowler, who found the database and alerted the service provider, C3UK, to secure it [97490].
(b) Human actions also played a role in this software failure incident. Despite being informed about the exposed database by the security researcher, C3UK did not respond to the researcher's emails for several days. Additionally, C3UK chose not to inform the data regulator, the Information Commissioner's Office (ICO), about the incident, stating that the data had not been stolen or accessed by any other party. The ICO confirmed that it had not been notified about the incident. However, Network Rail, the organization managing London Bridge station, advised C3UK to consider reporting the vulnerability to the ICO. This delay in response and decision-making by C3UK regarding informing the relevant authorities can be considered as contributing factors introduced by human actions in this software failure incident [97490]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident in the article was not directly attributed to hardware issues. The incident involved the exposure of traveler data due to a database being found online without password protection, leading to potential vulnerabilities in the system [97490].
(b) The software failure incident in the article was primarily due to contributing factors originating in software. The incident involved the exposure of traveler data due to a database being found online without proper security measures, such as password protection. Additionally, the database revealed software updates and the type of software being used by devices connected to the wi-fi, which could potentially lead to the installation of malware [97490]. |
| Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident in Article 97490 was non-malicious. The incident involved the exposure of traveler data due to a database being found online without password protection, leading to the exposure of personal contact details and travel information of about 10,000 people who used free wi-fi at UK railway stations. The incident was discovered by a security researcher and the database was accessed by the service provider and the security firm, with no information being made publicly available. The incident was identified as a low-risk potential vulnerability, and the data had not been stolen or accessed by any other party [97490]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident in Article 97490 can be attributed to poor decisions made by the wi-fi service provider C3UK. Despite being informed about the exposed database by researcher Jeremiah Fowler, C3UK chose not to inform the data regulator, the Information Commissioner's Office (ICO), because they believed the data had not been stolen or accessed by any other party. This decision not to report the vulnerability to the ICO was criticized, as organizations are expected to consider contacting affected individuals and taking steps to protect them from potential adverse effects when a data incident occurs [97490]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident in Article 97490 can be attributed to development incompetence. The incident involved the exposure of email addresses and travel details of about 10,000 people who used free wi-fi at UK railway stations due to a database that was not password protected [97490]. Additionally, the database was found online by a security researcher, indicating a lack of proper security measures in place during the development and maintenance of the system. The failure to secure the database properly can be seen as a result of development incompetence.
(b) The software failure incident in Article 97490 can also be considered accidental. The exposure of the database containing personal contact details and dates of birth of individuals was not intentional but rather accidental. The incident was discovered by a security researcher who found the database on unsecured Amazon web services storage, indicating that the exposure was not a deliberate act but a result of accidental oversight [97490]. |
| Duration |
temporary |
(a) The software failure incident in this case was temporary as it was due to contributing factors introduced by certain circumstances. The incident involved the exposure of traveler data due to an unsecured database found online by a security researcher [97490]. The database was created between 28 November 2019 and 12 February 2020, indicating a specific timeframe for the exposure of the data. Additionally, the incident was addressed promptly once it was brought to the attention of the service provider and the security firm, leading to the closure of the exposed database [97490]. |
| Behaviour |
other |
(a) crash: The incident involving the exposure of traveler data at UK railway stations was not described as a crash where the system loses state and does not perform its intended functions. The software failure did not result in a complete system failure.
(b) omission: The software failure incident did not involve the system omitting to perform its intended functions at an instance(s). The incident was related to the exposure of sensitive data due to a security vulnerability.
(c) timing: The timing of the software failure incident was not a factor in this case. The incident was primarily about the exposure of personal data due to a lack of proper security measures.
(d) value: The software failure incident did not involve the system performing its intended functions incorrectly. It was more about the lack of proper security measures leading to data exposure.
(e) byzantine: The software failure incident did not exhibit characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. The incident was more about a security vulnerability leading to data exposure.
(f) other: The behavior of the software failure incident was related to a security vulnerability that allowed the exposure of sensitive traveler data due to a database not being password protected, rather than a specific failure mode like crash, omission, timing, value, or byzantine behavior. |