According toBusiness Standard, personal details of nearly 30 million railway users have been put on sale on the dark web by a hacker. These details include the name, email address, phone number, gender, and other personal information of several government officials and notable personalities, the hacker has claimed. This is the third major data breach over the past two months. The hacker refused to disclose the name of the company whose servers were breached but said it had one of the biggest railway databases in India. The Ministry of Railways confirmed the hacking and said it had alerted the Indian Computer Emergency Response Team (CERT-In) about the possible data breach. The ministry claimed the data leak was not from its own servers or those of its ticketing arm — Indian Railway Catering and Tourism Corporation (IRCTC). “On analysis of sample data, it is found that the sample data key pattern does not match with IRCTC history API (application programming interface). The reported/suspected data breach is not from IRCTC servers,” the Railways said. The severity of the breach has immediately brought private ticketing partners of IRCTC into focus. “Further investigation on the data breach is being done by IRCTC. All IRCTC Business Partners have been asked to immediately examine whether there is any data leakage from their end and apprise the results along with corrective measures taken to IRCTC,” it added. The state-owned firm’s private ticketing partners include Amazon, Paytm, and online travel portals like MakeMyTrip, RailYatri, Goibibo, and EaseMyTrip.
According to IRCTC’s figures, the platform was used for booking almost 430 million tickets in the financial year 2021-22, with almost 6.3 million daily logins and more than 80 million users of its online services. Over 46 per cent of its ticket bookings come through the mobile app, which has the highest quantum of data stored from a user. Though the reason for the data breach is not clear, experts believe it could be different in nature from the recent attacks on the servers of All India Institute of Medical Sciences (AIIMS) and Central Depository Services (India) (CDSL). “In this case, it could have been an IDOR (insecure direct object reference) or authentication vulnerability in the affected travel booking application platform. In the case of CDSL and AIIMS, from what is in public knowledge, it appears to have been a network intrusion with the purpose to take over all connected systems to the network,” said Himanshu Pathak, founder and managing director of cybersecurity research firm CyberX9. IDOR is a common, potentially devastating vulnerability resulting from broken access control in web applications. Pathak said: “A large number of Indian organisations are highly careless about sensitive data security. Organisations like booking platforms and similar platforms, which are handling sensitive customer data, should go through regular qualityfocused security testing of their applications. There is a dire need for a strict data protection law, in order to force organisations handling sensitive data to adhere to best security practices and secure sensitive data.” IRCTC rolled out a plan this year to monetise passenger data which never saw fruition due to massive public uproar over privacy concerns. Experts pointed out adequate data protection provisions are a necessary precursor to data monetisation.