9 lakh IRCTC users’ personal data found online

Personally identifiable information (PII) for 9 lakh individuals, said to be from Indian Railway Catering and Tourism Corporation, has been posted online

derailed railroad track merge split crossroad shift align by faiz prasia unsplash
Faiz Prasla (CC0)

The personally identifiable information (PII) of 9,39,230 persons, said to be users of online rail ticket seller Indian Railway Catering and Tourism Corporation (IRCTC), has been found online by security firms CloudSEK and Cyble.

Cyble said it found a dark web post on Oct. 13 containing close to 10 lakh users’ data that the post claimed was leaked sometime in 2019.

Cloudsek said it discovered a post on “a surface web database marketplace” on the same day, similarly advertising the information of almost 10 lakh IRCTC users dating from 2019. 

Both companies obtained the data, which they say contains users’ full names, mobile numbers, dates of birth, email addresses, gender, marital status, city, and state.

Internet data can broadly be classified into three layers: the surface web, deep web and dark web. While most compromised databases are available on dark websites that can only be accessed through Tor browsers, surface web content is readily accessible and indexable using regular search engines. The relative ease of accessing the said information is what makes the purported IRCTC data leak incident particularly worrisome.

CloudSEK Threat Research Lead Koushik Sivaraman said that the company was able to verify the authenticity of the information through reverse phone number and email lookups using public sources of information and tools like Truecaller.

How the released data affects users and what they can do about it

Cyble has added the data it obtained to its website AmIBreached.com, where users can enter their email address to find out what personal information relating to it has been found online. While that site, and the similar haveibeenpwned.com, can’t undo the damage caused by a data breach, they do provide users pointers to how they can protect themselves from further online harm.

Throwing light on how a data leak could impact affected users, CloudSEK’s Sivaraman said, “Threat actors can use the personally identifiable information in the data dump to orchestrate phishing, spear phishing, vishing and smishing campaigns, and also online or offline scams.”

Furthermore, he believes such information can be used for identity theft, social engineering attacks, and higher impact attacks such as compromise of personal finances and services.

Sivaraman had four recommendations for affected users:

  1. Enable multi-factor authentication.
  2. Do not share OTPs with third-parties.
    [Note: While this is a rule of thumb, it is especially relevant in this case because threat actors already have phone numbers. So, the OTP is the only thing standing between threat actors and the victims’ accounts.]
  3. Review all online accounts and financial statements for suspicious activity.
  4. Caution friends and family against threat actors impersonating you.

A cybersecurity track record that’s off the rails

This is not the first time that Indian rail travellers’ personally identifiable information has been found online.

In April 2016, a media report said that personal information relating to 1 crore customers of IRCTC, operator of an online ticketing site for Indian Railways, was feared to have been stolen. A month later, IRCTC told reporters its internal investigation had concluded its systems were secure and that no data breach had taken place. However, it did not rule out the possibility that the data was genuine, and had been obtained by some other means.

Also in 2016, a cybercriminal from UP was arrested by the Central Bureau of Investigation (CBI) for hacking the IRCTC website and selling fake tickets to passengers.

In October 2019, Indian Railways itself left an unprotected database instance exposed, according to haveibeenpwned.com, which published the news in January 2020. This resulted in the breach of over 2 million records containing 583,000 unique email addresses, usernames and plain-text passwords.

In August this year, security watchdog Safety Detectives revealed that a server vulnerability in RailYatri discovered on Aug. 10 resulted in a Meow bot attack that led to the deletion of almost all server data. RailYatri is a government-sanctioned travel portal that caters to nearly 2 crore 40 lakh users every day.

Prior to that, in November 2018, security researchers Avinash Jain and Gurunatha Reddy disclosed to ET how a critical security vulnerability that could have given hackers access to users’ personal information went undetected for close to two years.

The researchers were reportedly able to access information of close to 1000 Indian Railways passengers and their nominees within 10 minutes of finding the bug.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)