Listen to this story
A hacker forum user was discovered to be selling 30 million Indian Railway user records. The identity of this user, who went by the alias “shadowhacker” is unknown.
The hacker stated that the data includes various personal details such as name, email, phone number, and gender, as well as additional information. The user also mentioned that there are multiple government email addresses present in the data.
Security researchers are yet to verify whether the data is authentic and how it was accessed. A request for comment sent to the Indian Railways remains unanswered. Researchers at Cyble told The Cyber Express that they are in touch with the Indian Railway.
Indian Railways: $100 for specific passenger data
The threat actor has guaranteed more than 25 million phone numbers along with other personally identifiable information (PII).
The actor also offers another endpoint disclosing “all user history of travel information,” including “a lot of data” such as PNR number, invoice pdf that includes PIIs such as passenger name and mobile number, and travel details such as train number and arrival time.
The hacker also offers the details of website vulnerabilities “we used” along with the data for a price. The actor did not mention whether the website is the IRCTC booking portal or the Indian Railways portal.
Data breaches and Indian Railways passenger info
Indian Railways suffered a slew of data breaches in the last couple of years. In October 2019 an unprotected database instance was left exposed.
This breach affected over 2 million records, including 583,000 unique email addresses, usernames, and plain-text passwords. The news of this breach was made public in January 2020.
In 2020, renowned cybersecurity firm, Cyble found that the personal information of over nine million Indian railway ticket buyers, including their IDs, was found online. According to the company, it found a dark web post claiming that the data was leaked sometime in 2019 and included a list of a million users.
The data that Cyble obtained included the users’ names, mobile numbers, and email addresses. It also included details about their gender, marital status, and city.
In August 2020, cybersecurity firm Safety Detectives revealed that a vulnerability on the website of RailYatri, a government-sanctioned portal for buying and selling railway tickets, that caters to nearly 240 million users every day, was exploited by a bot attack. The attack resulted in the deletion of all the server data.
Indian Railways: Unpatched vulnerabilities
In 2016, a media report claimed that the personal details of about a hundred million customers of Indian Railways’ online ticket portal, itickets.com, were stolen. However, the company later said it did not believe the data had been hacked. It also noted that the information was possibly obtained through unauthorized means.
In another incident in 2016, a cybercriminal from the Indian state of Uttar Pradesh was arrested for hacking the website of the Indian Railways’ ticket portal (IRCTC) and selling fake tickets.
In November 2018, two security researchers, Gurunatha Reddy and Avinash Jain, revealed to ET how a critical vulnerability in the website of a government-sanctioned portal could have allowed unauthorized individuals to access the personal details of its users for almost two years.
The researchers could access the details of almost a thousand Indian Railways ticket holders within just 10 minutes after they discovered the vulnerability.