News + Trends

Data leak at SBB: Data records of Swisspass holders were publicly accessible

Richard Müller
24-1-2022
Translation: machine translated
Pictures: Thomas Kunz

At the beginning of the year, a data leak was discovered on the public transport platform "NOVA". An IT expert used a simple trick to download over 500,000 data records from SBB customers.

SBB informed about a hack on Monday. The incident occurred at the beginning of the year. In a media release, it writes that the "data leakage" was immediately remedied. According to research by Swiss Radio and Television's (SRF) "Rundschau," half a million travelers across the Swisspass network were affected.

Die sensiblen Daten lagen praktisch öffentlich im Nezt.
IT-Sicherheitsexperte, Hat SBB-Kundendaten gehackt.

According to the report, an IT security expert used a simple trick to download a large amount of personal data from customers at SBB. "You don't even need special expertise. Anyone could have done it," he told SRF's "Rundschau" program. "The sensitive data was practically public on the net."

Specifically, the IT security expert managed to find out the names of the travelers, the date of birth, the number of tickets purchased, and the departure and destination points. Theoretically, this could be used to create a movement profile of all affected customers, the expert explained further.

The data leak affects the entire Swisspass network and thus practically all public transport companies as well as all customers with a Half-Fare Card or General Abonnement.

SBB has closed security gap

The Swisspass Alliance and SBB have acknowledged the vulnerability. It was an error in the system for subscription renewals, SBB wrote in a media release. They apologize to public transport customers. However, customers were not harmed. SBB immediately informed the Federal Data Protection and Information Commissioner and the public transport companies involved. An internal investigation had also been launched.

The IT security expert committed the data theft over the holidays. He subsequently informed SBB of the incident with a detailed report. "I am not a criminal. I want to raise awareness for data protection," he said, explaining the hack. He immediately anonymized all personal data. He also stressed that no SBB customer had been harmed as a result of it. "The federal railroads reacted very quickly and closed the hole in a highly professional manner."

132 people like this article


User Avatar
User Avatar

I'm a journalist with over 20 years of experience in various positions, mostly in online journalism. The tool I rely on for my work? A laptop – preferably connected to the Internet. In fact, I also enjoy taking apart laptops and PCs, repairing and refitting them. Why? Because it's fun! 


These articles might also interest you

Comments

Avatar