[Updated] RailYatri Allegedly Suffers Another Data Leak, Company Denies

Update: 22nd Feb, 23:00 IST

After publishing this story, RailYatri contacted us to clarify the matter. According to the company, there has been no new data breach. It stated that the data referred to by the cybersecurity expert is old data that was exposed in December 2022. Since then, the company has taken the necessary steps to ensure the safety of user data.

The below story has been edited to include RailYatri’s comments.

Indian train ticketing platform RailYatri has allegedly suffered another data breach, exposing the data of more than 31 Mn (31,062,673) users. This is the second incident nearly three years after the government-sanctioned ticketing platform suffered a data breach, exposing user data of some 7 Lakh users. However, the company has denied the allegations.

Cybersecurity researcher Anurag Sen notified Inc42 of the development on Monday (February 20), after having detected the leak last week. According to him, user email addresses, full names, genders, phone numbers and locations, were exposed during this data breach.

According to Sen, in February 2020 also, he identified a misconfigured Elasticsearch server exposed to the public without any password or security authentication. He then claimed to have informed RailYatri about the leak, but the company initially denied that the server was theirs. 

However, after the Indian Computer Emergency Response Team (CERT-In) got involved in August 2020, the company claimed that it was a test server and later secured it. “Back in 2020, when I reached out to Railyatri, they never replied or reached out to me, but after I contacted CERT-In, the server got closed,” Sen told Inc42.

Hackers allegedly attacked RailYatri servers again on February 16, stealing the data of 31 Mn users and posting it on BreachForums, a cybercrime forum, Sen noted. A hacker called UNIT82 posted a database 12.33 GB in size, which was alleged to be the RailYatri user data. 

However, as per the company, it has not suffered any data breach on February 16. It stated that the data referred to by the cybersecurity expert is old data that was exposed in December 2022.

“I have reported various data leaks in India; the most common issue I saw is that these companies are not getting fined due to India not having any GDPR-like law,” Sen added.

Indian startups have become easy targets for hackers and other malicious entities on the internet for such data breach incidents. These data breaches could lead to other cybercrimes, including identity theft and phishing attacks, among others.

Earlier this month, Inc42 reported the data leak at the social media platform for teenagers Slick. The app had exposed the data of 153K users at the time but had been proactive in fixing the issue once it was detected and reported.

Last year, Flipkart-owned online travel aggregator (OTA) Cleartrip was the target of a cyberattack which resulted in a major data breach. In 2021, Mobikwik and Upstox were among multiple startups that had data breaches, exposing the data of millions of users.

India remains one of the worst-hit countries in the world in terms of cyberattacks, as a recent government report noted that the country had 13.91 Lakh cybersecurity incidents last year, as tracked by the government. 

However, Google’s vice president of engineering for privacy, safety and security Royal Hansen said in August 2022 that India witnessed as many as 18 Mn cyberattacks per day in Q1 2022.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.