Commuters slam UK rail operator c2c. You slow, late, er... privacy violator

Commuters in the south east of England, already angry about recent timetable changes and delays, have been further incensed by basic security blunders by rail operator c2c as it tried to placate passenger disquiet with a new compensation form on its website.

The company, which operates rail service between London Fenchurch Street and Southend in Essex, initially used an unencrypted form to request private information.

In addition, it failed to use the BCC field in a recent bulk email, thus disclosing the email addresses of more than 500 people in the process.

Major revisions to its timetable were applied in December 2015. The changes – the biggest in nine years – have not gone down well, according to our tipster Paul F, who alerted us to the privacy flap. Increased overcrowding and delays resulted in a social media backlash and a commuter protest at Fenchurch Street station, attended by Southend West MP David Amess.

The protests led to a number of timetable changes, and most recently, an offer from c2c of financial compensation for disrupted journeys and inconvenience; it set up a web form on its website to collect application information.

This form collects personal details, yet it was initially set up unencrypted. c2c told El Reg that had since rectified the issue:

Our standard practice is to encrypt our webforms, and all previous similar schemes have been fully encrypted.

In this instance the form was loaded to the wrong server in error, but it was replaced with an encrypted version after a few hours, once we became aware of the issue.

No personal financial information was ever solicited through the website – which is just as well with the benefit of hindsight. All sorts of other sensitive info was collected, however, including names, addresses, telephone numbers, c2c Smartcard Numbers and journey details.

To cap everything, c2c accidentally sent an email to people who had submitted claims, CC'ing everyone in its list. The failure to use BCC meant that around 500+ sets of personal details were exposed to everyone in the list. The rail company said sorry for the minor security flap, which is blamed on simple human error rather than a system issue.

"We apologised immediately to all those concerned for this error,” a spokesman said. “We are currently investigating this incident as a priority and once that investigation has completed we will inform all those affected of the conclusions and our next steps."

The offending email – sent on Thursday – was a standard form letter acknowledging recipients’ participation in c2c’s Automatic Delay Repay pilot scheme. ®