Home News Security bug in Indian Railways ticketing website exposed

Security bug in Indian Railways ticketing website exposed

Indian Railways

The Indian Railway Catering and Tourism Corporation (IRCTC) unknowingly kept its passengers’ personal data at risk for almost two years, two researchers revealed.

According to the Economic Times, Avinash Jain and Gurunatha pointed out that a security vulnerability in IRCTC’s website and mobile app link connected to a third-party insurance provider would have given cyber miscreants access to at least 200,000 passengers’ personal information such as name, age, address, gender, and insurance nominee details.

IRCTC, which handles the catering and online ticketing operations of the Indian railways, provides free travel insurance to the passengers who book tickets via its website or mobile app. This requires IRCTC to share personal and nominee details of all the travellers with third-party insurance providers. The bug, which existed for two years, was discovered and reported to IRCTC on August 14 this year and got fixed on August 29 by IRCTC, the researchers stated.

According to the Indian Computer Emergency Response Team (CERT), the country witnessed as many as 1,44,496 cyber-attacks from 2014 to 2017. The response team stated that around 44,679 cyber-attacks were reported in 2014. By 2015, the number reached 49,455, and by 2016, the numbers crossed the 50,000 mark. The major cyber incidents included phishing, scanning/probing, website intrusions and defacements, virus/malicious code and denial of service attacks, the CERT stated.

Keeping up with the global trends and to better prepare and address impending cyber threats, Home Minister of India, Rajnath Singh has urged critical infrastructure bodies to conduct regular cybersecurity audits. These infrastructures include power, railways, and nuclear energy sectors. Singh stated the biggest cybersecurity concerns are data theft, fraud, and hacking on the country’s critical infrastructure, and highlighted that there have been several attempts by hackers to penetrate the systems and breach the firewall. The best strategy was to stay prepared and vigilant against the cyber threats, he added.