I didn’t ask for anything. I didn’t hack anything. I didn’t even take out my phone. I just looked straight ahead for three hours.
Paris to Rennes, TGV Inoui, 2:22 PM. Window seat, right side, car 14. Across from me, some guy. Mid-forties, jacket no tie, AirPods. He opens his laptop the moment the train leaves Montparnasse. Normal. It’s 2026, that’s what we do.
What’s less normal is what he does with that laptop.
In ten minutes, without moving my head, I caught his company name (logo at the top of the screen), his client’s name (folder open right in the middle of his desktop), the approximate value of the contract in progress (Excel column visible, numbers large enough to read from the seat across), and the initials of two people whose work he apparently didn’t think much of, based on the comments in the document.
To be clear: I’m not malicious. I’m just sitting there.
This scenario is called shoulder surfing. A term that sounds like an Olympic discipline when it’s really just passive curiosity with a decent viewing angle. No cybersecurity expertise required. No equipment needed. Just eyes and a face-to-face train seat.
What’s fascinating is that this guy had probably completed a cybersecurity training course within the year. He had an antivirus. Maybe a VPN. A complex password, certainly. He had checked every box in his company’s security policy.
And there he was, exposing a €58,000 client contract to the entire car 14.
What I learned effortlessly:
Company name · Client name · Budget range · Two internal first names · A competing vendor mentioned in a cell · The fact that he was “behind on section 3”
The problem with physical security is that it’s invisible in audits. We measure passwords, logs, network access. Nobody measures the viewing angle from seat 42B.
Privacy filters for screens have existed for years. They cost around twenty euros. They reduce the lateral field of view to about 30 degrees. It’s not magic, but it’s enough for your train neighbor to see a black screen instead of your client data.
It’s not in the annual training budget. It’s not in the GDPR policy. It’s generally not in the CISO’s recommendations.
And yet it’s the simplest thing in the world.
In Rennes, he packed up his laptop and left. He has no idea. I didn’t say anything — not because it wasn’t my place, but because nobody says anything on a train.
That’s the real problem.
Next time you open a confidential document in public transit, just ask yourself one thing: does the person across from me look like the kind who reads?
The answer might surprise you.