Major data leak at the Belgium railway company

By EDRi · January 16, 2013

This article is also available in:
Deutsch: [Schwere Datenpanne bei der belgischen Bahn |]

At the end of December 2012, the personal data of more than one million
customers of the Belgian train company SNCB Europe were available
on-line, at a simple query in a search engine. The data contained in the
SNCB database included names, email addresses and even, in some cases,
phone numbers and home addresses. The forum user having discovered the
link to the database, after having reported his discovery, deleted the
address (URL) from the forum post to avoid further exposure.

On 22 December 2012, a spokesman of SNCB Europe stated that a file
available on the Internet was private, as its URL was not revealed.
Actually, any information accessible on the Internet is public if it is
not restricted by an authentication mechanism.

“Contrary to the statement of the SNCB Europe spokesperson, the person
who revealed the information did not use any trick to access the file.
The data base containing 1,460,734 customers was freely accessible via a
trivial query on a search engine. This management of personal data is
shockingly irresponsible. The SNCB made no effort whatsoever to ensure
that these data are inaccessible to the public and failed in its duty to
protect its customers’ personal data.” said André Loconte, spokesman of
EDRi Observer NURPA (Net Users’ Rights Protection Association).

Furthermore, the Belgium company has not yet informed the people
affected by this leak as, unfortunately, there is no Belgian law
imposing the notification obligation in such cases.

According to CPVP (the Belgian data protection commission) which
receives privacy complaints, in order to find out whether one is on the
leaked database, the respective user must send a letter to SNCB with a
copy of his/her identity document.

NURPA has created a free software application allowing interested
Internet users to fill up a questionnaire to generate the necessary
mails in order to obtain the information concerning the presence of
their personal data in the respective database. The application also
permits users to submit complaints to CPVP and to oppose the use and
exploitation of their personal data. CPVP has launched an investigation
having already received more than 1700 complaints at the level of
the first week of January 2013.

SNCB Europe data leak involves more than one million customers (23.12.2013)

Hermes : simplify your actions within « SNCBgate » (only in French,

Hermes – SNCB Europe leaked your personal data

Second-class service (10.01.2013)