Air traffic control data ‘for sale’ on eBay

The data was found on a piece of hardware called a switch sold for £20 on auction website eBay.

The device, which connects several computers onto a network, was originally used by Prestwick air traffic control centre in Ayrshire which oversees 900,000 flights a year and covers more airspace than any other site in Europe.

Mike Kemp, co-founder of tech firm Xiphos Research Labs, bought the switch for his office in Birmingham.

When it arrived he found it was labelled “NATS” (National Air Traffic Services) and contained “effectively a network map for Prestwick air traffic control”, revealing passwords and details of which systems talk to other systems.

Mr Kemp told Channel 4 News his first reaction was shock.

“I thought ‘oh c**p’ quickly followed by ‘where has this device come from?’ and ‘why hasn’t it been wiped?'”

It’s astonishingly bad practice not to wipe such a device. Peter Sommer

A spokesperson for NATS has stressed that the data “in no way formed part of air traffic control operations”.

But as an expert in information security, Mr Kemp said it appeared that “trivial” passwords were being used and that data destruction processes were not being applied. He believes the information he unwittingly acquired could “feasibly” be used by hackers and terrorists.

He said: “Basically with the configuration details and password data it would be a trivial task for an unauthorised individual to place their own switch onto the network.

“Once they had done that, they could feasibly control all data going across that network, including flight data, and interrupt its flow, potentially even going as far as to stop all network traffic and stop the network functioning at all.”

In a statement, NATS told Channel 4 News: “We have a contract with a specialist firm to handle the secure destruction and disposal of our equipment. We are investigating with them why equipment that we have a destruction certificate for was subsequently sold online.

“As soon as Mr Kemp alerted us to what he had found on the switch – which had been used only in non-operational and non-safety critical systems – we ensured that the integrity of our business systems was further enhanced. At no time were those business systems at risk.

“This equipment does not form part of our operational air traffic control systems.”

We are investigating why equipment that we have a destruction certificate for was subsequently sold online. NATS

Professor Peter Sommer, an information systems security expert, said failing to wipe such data before selling old equipment is a “silly” risk.

But he said the switch would need to be installed in the right location for hackers or terrorists to do any serious damage.

He said: “It’s astonishingly bad practice not to wipe such a device.

“Even if you can’t do immediate damage the [data] provides clues and holes which could affect your systems later on.

“When you sell a laptop it’s a good idea to wipe it, it’s the same with a switch.

“But people have been making these silly mistakes for 30-odd years.”

Mr Kemp said that a further 12 similar units were available from the same eBay seller, who has declined to comment.

But Kevin Briscoe, a spokesman for NATS, said these other devices do not pose a security risk because the actions taken since the breach came to light “negate anything on those switches”.

Prestwick air traffic control centre expanded in 2010 and employs more than 800 people. The site is also home to an international airport which sees around 1.6m passengers pass through the terminal every year.

Ryanair is the main airline, using Prestwick as its hub, with dozens of flights taking off every day for destinations across the UK and Europe.