A broken passenger information display at Northampton’s Northgate bus station shows a Windows 10 desktop instead of bus times, highlighting compliance risks tied to end-of-life software and data protection regulations.
A passenger information display at Northampton’s Northgate bus station has failed catastrophically, showing a bare Windows 10 desktop instead of scheduled bus times, highlighting longstanding maintenance failures and unaddressed data protection compliance risks tied to end-of-life software.
What happened
The fault was first reported by a Register reader, who noted the main display had shown incorrect times, out by 3 to 4 minutes, for months, causing passengers to miss scheduled buses. As of May 2026, the software responsible for loading real-time departure data no longer launches, leaving only the default Windows 10 desktop background and a small set of unlabeled icons visible to travelers.
The display sits behind protective glass fitted with anti-bird spikes to prevent droppings from damaging the hardware, but no equivalent safeguards were put in place for the underlying software. Northgate bus station opened in 2014, and the displays were configured to run Windows 10, which Microsoft stopped supporting on October 14, 2025. This means the OS no longer receives security updates, bug fixes, or technical support, leaving known vulnerabilities unpatched.
The original configuration reflects a common pattern in public sector procurement, where hardware and software are selected at the time of construction with little planning for long-term maintenance. Windows 10 was released in 2015, one year after the bus station opened, and became the default choice for digital signage systems due to its familiarity and compatibility with existing tools.
Legal basis
Under the UK General Data Protection Regulation (UK GDPR), retained in domestic law via the Data Protection Act 2018, public bodies and private companies that process personal data must adhere to strict security requirements. Article 32 of the UK GDPR mandates that data controllers implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by processing personal data. These measures must include protecting personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
West Northamptonshire Council, which operates Northgate bus station, is a data controller for any personal data processed at the site, including passenger contact details for service alerts, payment information for ticketing, and potentially CCTV footage. Even if the passenger information displays themselves do not directly process personal data, they are likely connected to backend systems that do. Running an unsupported, unpatched operating system on any device connected to these networks creates a clear pathway for attackers to gain unauthorized access to sensitive personal data, violating Article 32 requirements.
The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has the power to issue monetary penalties for GDPR breaches. Fines can reach up to £17.5 million or 4% of the offending organization’s global annual turnover, whichever is higher. Past penalties for similar security failures, such as using unsupported software on public-facing systems, have ranged from £100,000 to several million pounds. More information on ICO penalty notices is available on the ICO website.
Microsoft’s Windows 10 lifecycle documentation confirms that no further security updates will be released for the OS, making it non-compliant with standard data protection security requirements.
Impact on users and companies
For passengers, the immediate impact is clear: incorrect or missing departure information leads to missed buses, delayed journeys, and added costs for rebooking or alternative transport. Vulnerable travelers, including elderly people and those with mobility issues, are disproportionately affected by unreliable information systems, as they may have fewer options to check alternative sources or wait for later services.
For the council and partner bus operators, the failure creates multiple risks. Reputational damage from public complaints and media coverage of the broken display erodes public trust. If the ICO launches an investigation into the use of end-of-life software and finds a breach of Article 32, the council could face significant fines, on top of the cost of replacing the failed hardware and software. There is also a risk that attackers could exploit unpatched Windows 10 vulnerabilities to access connected systems, potentially exposing thousands of passengers’ personal data in a reportable breach under Article 33 of the UK GDPR, which would require the council to notify affected individuals and the ICO within 72 hours of becoming aware of the breach.
The original article notes that Microsoft has acknowledged ongoing issues with Windows 11, the successor to Windows 10, but this does not excuse the use of an unsupported OS. Even if Windows 11 has flaws, it still receives regular security updates, making it a compliant choice for systems processing personal data.
What changes are needed
Public sector organizations operating critical infrastructure, including passenger information systems, must prioritize software lifecycle management to avoid relying on end-of-life operating systems. For the Northgate bus station displays, this means replacing Windows 10 with a supported OS, such as Windows 11 IoT Enterprise or a lightweight Linux distribution designed for digital signage, which receives regular security updates.
Organizations should also conduct regular compliance audits to ensure all networked devices meet data protection security requirements. Air-gapping passenger information displays from backend systems that process personal data, where technically feasible, would reduce the risk of a breach spreading from a compromised display to sensitive databases. For systems that must be networked, strict firewall rules and intrusion detection systems should be implemented to monitor for suspicious activity.
The ICO recommends that all data controllers maintain an inventory of all devices processing personal data, including their software versions and support end dates, to ensure timely updates and replacements. Public bodies have a particular duty to model good compliance practices, as they process large volumes of sensitive personal data belonging to citizens.
More guidance on UK GDPR compliance for public sector organizations is available from the ICO’s official guidance.
Comments
Please log in or register to join the discussion