Data of 30 mn railway users compromised, personal details on dark web

Personal details of nearly 30 million railway users have been put on sale on the dark web by a hacker. These details include name, email, phone number, gender, and other personal information of several government officials and notable personalities, among others, the hacker has claimed.

The hacker refused to disclose the name of the company whose servers were breached, but said it is one of the biggest railways databases in India. Meanwhile, the ministry of railways has responded to the development.

“An incident regarding the Indian Railway data breach has been reported in the media. In this connection it may be submitted that the Railway Board had shared a possible data breach incident alert of CERT-In (Indian Computer Emergency Response Team) to IRCTC reporting a data breach pertaining to Indian Railways passengers,” the railways said.
Moreover, the ministry claims that the data is not from its own servers or those of its ticketing arm, Indian Railway Catering and Tourism Corporation (IRCTC).
“On an analysis of sample data, it was found that the sample data key pattern does not match with IRCTC history API (application programming interface). Reported/suspected data breach is not from the IRCTC servers,” the railways said.

The severity of the breach has immediately brought private ticketing partners of IRCTC into focus. “Further Investigation on the data breach is being done by IRCTC. All IRCTC business partners have been asked to immediately examine whether there is any data leakage from their end and apprise the results along with corrective measures taken to IRCTC.”

The state-owned firm’s private ticketing partners include Amazon, Paytm and noted online travel portals MakeMyTrip, RailYatri, Goibibo, and EaseMyTrip among others. According to IRCTC’s figures, the platform was used for booking almost 430 million tickets in the financial year 2021-22, with almost 6.3 million daily logins and more than 80 million users of its online services. Over 46 per cent of its ticket bookings come through the mobile app, which has the highest quantum of data stored from a user.

While the reason for the data breach is not clear, experts believe the breach could be different in nature from the recent attacks on the servers of All India Institute of Medical Sciences (AIIMS) and Central Depository Services (CDSL).

“In this case, it could have been an IDOR (Insecure direct object reference) or authentication vulnerability in the affected travel booking’s application platform. While in the case of CDSL and AIIMS, from what is in public knowledge, it appears to have been network intrusion with the purpose to take over all connected systems to the network,” said Himanshu Pathak, founder and managing director of cybersecurity research firm CyberX9.
IDOR is a common, potentially devastating vulnerability stemming from broken access control in web applications.

Pathak added, “A massive percentage of Indian organisations lack and are highly careless about sensitive data security. Organisations like booking platforms and similar, who are handling sensitive customer data should go through regular quality focused security testing of their applications. Beside that, there is a dire need of a strict data protection law, in order to force organisations handling sensitive data to actually adhere to best security practices and secure the sensitive data.”