Breach not from IRCTC, says Railways; private partners on Centre’s radar
In what could be the biggest data breach of a government entity’s digital assets till date, the personal details of nearly 30 million railway users have been put on sale on the dark web by a hacker. These details include name, email, phone number, gender, and other personal information of several government officials and notable personalities, among others, the hacker has claimed.
The hacker refused to disclose the name of the company whose servers were breached, but said it is one of the biggest railways databases in India. Meanwhile, the ministry of railways has confirmed the hack, adding that it had alerted the Indian Computer Emergency Response Team (CERT-in) about the possible data breach.
Moreover, the ministry claims that the data is not from the servers of its own ticketing arm, Indian Railway Catering and Tourism Corporation (IRCTC).
“On an analysis of sample data, it was found that the sample data key pattern does not match with IRCTC history API (application programming interface). Reported/suspected data breach is not from the IRCTC servers,” the railways said.
The severity of the breach has brought the government on its heels, which has immediately put IRCTC’s private ticketing partners on the radar. “Further Investigation on the data breach is being done by IRCTC.
All IRCTC business partners have been asked to immediately examine whether there is any data leakage from their end and apprise the results along with corrective measures taken to IRCTC.”
The state-owned firm’s private ticketing partners include big tech giants such as Amazon, Paytm and noted online travel portals MakeMyTrip, RailYatri, Goibibo, and EaseMyTrip among others.
According to IRCTC’s figures, the platform was used for booking almost 430 million tickets in the financial year 2021-22, with almost 6.3 million daily logins and more than 80 million users of its online services. Over 46 per cent of its ticket bookings come through the mobile app, which has the highest quantum of data stored from a user.
While the reason for the data breach is not clear, experts believe the breach could be different in nature from the recent attacks on the servers of All India Institute of Medical Sciences (AIIMS) and Central Depository Services (CDSL).
“In this case, it could have been an IDOR (Insecure direct object reference) or authentication vulnerability in the affected travel booking’s application platform. While in the case of CDSL and AIIMS, from what is in public knowledge, it appears to have been network intrusion with the purpose to take over all connected systems to the network,” said Himanshu Pathak, founder and managing director of cybersecurity research firm CyberX9.
IDOR is a common, potentially devastating vulnerability stemming from broken access control in web applications.
Pathak added, “A massive percentage of Indian organisations lack and are highly careless about sensitive data security. Organisations like booking platforms and similar, who are handling sensitive customer data should go through regular quality focused security testing of their applications. Beside that, there is a dire need of a strict data protection law, in order to force organisations handling sensitive data to actually adhere to best security practices and secure the sensitive data.”