According to a recent report, personal data of about 1 Cr IRCTC users is feared to have been leaked from the website’s server. The Maharashtra cyber cell had informed IRCTC about a potential data theft of its user registration details on Tuesday.
IRCTC has denied the report and said that there is nothing wrong with its website.
However, according to this tweet, Maharashtra Government has confirmed the data theft.
Maharashtra Govt confirms @IRCTC_Ltd website hacked. Up to 1 crore account details potentially compromised. Being sold in a CD for Rs 15k.
— Rahul Kanwal (@rahulkanwal) May 5, 2016
An IRCTC official stated that a committee has been formed to enquire into the alleged data breach.
IRCTC is the biggest travel ecommerce platform in India with lakhs of transaction done on its platform everyday. It currently has a user base of 39 Mn and it sells close to 500K tickets on a monthly basis. The data captured by the hackers can be sold to other companies who may use it for targeting potential consumers.
The state’s additional chief secretary (home), KP Bakshi, told TOI that the state police had alerted the railways.
“Right now we are not even in possession of that data which the cyber cell is talking about. Unless we are in possession of that data, we are not in a position to let you know if the data belongs to IRCTC or not. We’re waiting for that data to be given to us, so that we can establish whether that data belongs to IRCTC or someone else, and if it’s been sold in the name of IRCTC,” IRCTC PRO Sandip Dutta, said.
Many personal information like PAN card numbers, mobile numbers, Aadhaar card details, etc. of the users are at risk. On the other side, credit/debit card details are at a little risk, since the payment gateway takes the customer out of the website during the online transactions.
However, IRCTC Chairman & Managing Director A.K. Manocha, in a chat with Inc42 said that there was no hacking activity. He further added, “The data screenshot shared by most of the publications reporting the matter does not match with the IRCTC data. Only a minute part of the data matches. The number 1 crore is only highlighted by the media. Only a few lakh passengers have their PAN cards data on the website. We have several layers of protection on the website to prevent any such hacking.”
It is to be noted that IRCTC had spent around INR 100 crore last year for the upgrading of the website.
Sudeep Das, SE Manager – India and SAARC, RSA explains, “The hackers use business logic abuse mechanisms to hide within legitimate traffic but in a manner unintended by the site owner. Such sophisticated attacks often go unnoticed by either Web Application Firewalls or Log Analysis tools. It seems the same has happened in case of IRCTC hack.”
He further added that the traditional Web Application Firewall technologies needs to be augmented with Behavioral Intelligence to hunt these attacks in real time and respond to them quickly. “Need of the hour is to detect quickly and respond even quicker before there is a major damage to business.”
This news came in just a week after a joint team of the Bangalore Branch of the Central Bureau of Investigation (CBI) and Western Railways Vigilance Department had arrested a person in Eastern Uttar Pradesh for hacking into the IRCTC website to create fake tickets to sell to agents.
As per recent reports, the number of breached records per incident in 2015 ranged from 3,000 to 77,000 records, thereby costing around INR 88.3 Mn as an average total cost of data breach. If the said reports are true, this will be considered a one of the biggest internet data breach in India.