Train ticketing platform RailYatri hit by data breach

Train ticketing platform RailYatri has confirmed that it suffered a data breach in December 2022, shortly after the Railway Ministry denied that user data being sold on the dark web leaked from the Railways’ side.

“We observed a security breach in our system on December 28, 2022,” a RailYatri spokesperson said. “We quickly established the source of the breach and fixed it within a few hours. Some RailYatri registered user information limited to age, email, preference city and phone numbers may have been viewed by unauthorised individuals. No other sensitive customer information has been compromised. We have reported the incident
to the government authorities and are exploring legal steps to be taken.”

The company said it was working with the Indian Computer Emergency Response Team (CERT-in) to investigate the breach and audit its security systems. “Our platforms have proper authorisation and authentication in place and access to the applications is through HTTPS and servers are behind firewalls which can be accessed through VPN only by authorised teams.”

While the breach was reported to the authorities on December 28, the Railway Board did not name RailYatri when it issued a statement on December 30 denying that data was stolen from IRCTC. “All IRCTC business partners,” such as reselling platforms like RailYatri, were asked to evaluate their systems, a Railway Board spokesperson had said.

Over 30 million user records were reportedly being sold on the dark web as a result of the breach. RailYatri has previously suffered a similar breach in 2020, which was reported by Safety Detectives, a portal run by security researchers and privacy experts. That breach impacted 7,00,000 users, the portal said.

While the Digital Personal Data Protection Bill, 2022 provides for penalties in the event of a data breach, the law is yet to be passed, over five years after the Supreme Court affirmed the constitutional right to privacy and kick-started the process for the creation of data protection legislation. Previous drafts of the Bill were either withdrawn or reworked in past years.