The cybersecurity posture of Indian Railways is under scrutiny again, with the latest breach at the e-booking services website RailYatri.
Social media and consumer forums are abuzz with concern and criticism after the data of over 30 million user records linked to the train ticketing platform was found being sold on the dark web.
On February 16, a threat actor on BreachForums leaked a database claiming to be from RailYatri. “In Dec 2022, the India largest trainbooking website Railyatri suffered a data breach that impacted 31 million Users and 37k Invoices,” read the post.
The post stated that the data breach of the travel booking-based app, authorized by the Indian Railway Catering and Tourism Corporation (IRCTC), was carried out last year in December, adding that the data of 31 million users was exfiltrated.
In December 2022, The Cyber Express discovered that a hacker forum user was discovered to be selling 30 million Indian Railway user records. A day later, an additional 4 million data of Indian Railways passengers’ details were added to the tranche.
The Cyber Express reached out to RailYatri for comment on the incident but is yet to receive a response from them.
RailYatri data breach
In December 2022, RailYatri suffered a data breach, which the organization later confirmed, The Hindu reported. The platform also experienced a similar breach in 2020, which was reported by Safety Detectives, a portal run by security researchers and privacy experts. That breach impacted 7,00,000 users, the portal said.
In the latest claim, cybercriminals have allegedly leaked RailYatri data, which includes user data email addresses, gender and names, phone number, and mailing addresses with city and state.
IRCTC responds to the December RailYatri data breach
A RailYatri spokesperson told the Indian daily organization that they observed a security breach in their system on December 28, 2022. “We quickly established the source of the breach and fixed it within a few hours,” RailYatri spokesperson said.
They further stated that though registered user information including age, email, preference city and phone numbers “may have been viewed by unauthorized individuals”, no sensitive customer information was compromised.
On December 28, RailYatri reported the data breach to the authorities following which the Railway Board issued a response on December 30.
In the statement, all IRCTC business partners and reselling platforms, including RailYatri were asked to inspect their systems, stated the official statement.
Cybersecurity researcher Dominic Alvieri also tweeted the RailYatri data breach on February 19, stating that a dataset belonging to over 31 million entries was dumped on Breached Forums.
RailYatri data breach 2020
Earlier in 2020, SafetyDetectives, a cybersecurity team published a RailYatri leak report that stated that around 700,000 individuals were impacted by the incident.
Over 43GB of data was reported to have had unauthorized access after exploiting an Elastic search server that was neither password-protected nor encrypted for several days.
As per the report, the servers of RailYatri were exposed on 9 August following which a server vulnerability was discovered by the security team.
The team also found access to systems using the Meow bot, which deleted nearly all server data. A Forbes report read that the Meow bot attacks Elasticsearch and MongoDB instances and wipes the data from systems.
Debit and credit card details, payment logs, names on the card, last four digits of the card number, expiry date, and issuing bank name were also exposed.
The SafetyDetectives researchers also noticed that the data size was reduced to 1 GB from 43 on 13 August 2020, however, new data was also being added on a regular basis.
Not leaving a ransom note after affecting systems could be a sign of it being a work of a grey hat with access to several systems, a security awareness advocate Javvad Malik from KnowBe4 stated in the Forbes report.