Train kiosks vulnerable

Next story
Olivia Storey/James Pavett

Southern Rail have been left wide open for cyber security attacks in an ongoing problem since November 2016.

Ticket kiosks were found to have admin privileges open for access by any user of the machine.

Southern Rail were first alerted to the issue back in November, however it does seem to be an ongoing concern.

The kiosks are open for abuse from any passer-by, with the C Drive accessible to everyone, leaving the company liable for any breach that could have happened.

Southern Rail don’t appear to have been monitoring the kiosks, as any or all of the customers to use the kiosks could have had personal and financial details compromised, breaching multiple data protection standards.

It does raise the question; do they take cyber security seriously? So we ask Mark James, ESET IT Security Specialist, how could Southern Rail make such a mistake and how any company can make sure their security is tip-top.

“Sadly keeping security up together is not always as simple as it seems, as systems develop and mould into the gateways we use each and every day to achieve our tasks.

“The underlying software often is cobbled or stuck together as more and more is added.

“When it comes to making it safe and secure it’s not as easy as your average desktop PC, but when the public are using these gateways to hand over private and financial details we would expect them to be as safe as possible.

“For the company that owns said hardware, quite often it’s down to cost.

“Where do we spend the money? Keeping the public happy with service and schedules? Or using some of that money to upgrade systems and security?

“Often the latter will take a backseat, but they directly affect each other: if systems are susceptible to attack and users’ details are stolen then public perception and trust may greatly influence future sales.

Security is all about layering defences, forming a good secure base operating system, maintaining a regular patched environment.

“Installing a good internet security product and then forming hardware and software layers on top.

“If your foundations are flawed then the rest may not necessarily help you and you’re still wide open for attack.

“You cannot cut corners, you have to spend money and you have to take security seriously, it needs to be by design and not an afterthought or an add-on.”


Does an attack on travel services concern you? Let us know on Twitter @ESETUK.


Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.