IRCTC Suffers a Data Breach – Railway Ministry Denies

After suffering a data breach in 2020 when personal data of around 90 lakh railways ticket buyers was compromised, it seems that a similar case may have happened again with IRCTC.

Reportedly, data of three crore railway travelers has been stolen online and put up for sale on the dark web. The theft is said to have happened on December 27.

The data has been manhandled by a forum named shadowforum that has access to very private data of users booking tickets from the IRCTC portal in the recent past few months. The stolen data includes PII of IRCTC.

IRCTC has, however, denied the reports claiming that the sample data does not match with the IRCTC’s history API and that no such data breach has occurred.

The state-owned firm’s private ticketing partners include Amazon, Paytm and noted online travel portals MakeMyTrip, RailYatri, Goibibo, and EaseMyTrip among others

An incident regarding Indian Railway data breach has been reported in the media. In this connection, it may be submitted that the Railway Board had shared a possible data breach alert of CERT-In to IRCTC reporting a data breach pertaining to Indian Railways passengers On analysis of sample data, it is found that the sample data key pattern does not match with IRCTC history API. Reported/suspected data breach is not from the IRCTC servers.

IRCTC Ststement – ANI Quotes

Earlier this year, a vulnerability (Insecure Object Direct References (IDOR) vulnerability) was found with IRCTC’s third-party insurers, putting the sensitive information of millions of users at risk IRCTC had pulled up Bajaj Allianz and Liberty General Insurance.

This comes after recently, it was reported that the servers of AIIMS Delhi were hacked by a China-based hacker. It is claimed that hackers gained access to five out of the forty physical servers, putting private data of nearly 4 crore patients at risk.