On Wednesday, Train ticketing platform RailYatri released its statement in which it confirmed that the platform suffered a data breach in December 2022. The confirmation is coming after the Railway Ministry denied such an attack and also remarked that no user data has been sold on the dark web leaked from the Railways’ side.
Reportedly, as a result of the breach, over 30 million users’ data have been sold on malicious sites including phone numbers, email addresses, house addresses, city, etc. Nevertheless, in 2020, RailYatri suffered a similar attack which targeted 7,00,000, users.
“We observed a security breach in our system on December 28, 2022, we quickly established the source of the breach and fixed it within a few hours. Some RailYatri registered user information limited to age, email, preference city, and phone numbers may have been viewed by unauthorized individuals. No other sensitive customer information has been compromised. We have reported the incident to the government authorities and are exploring legal steps to be taken,” a RailYatri spokesperson said.
Following the incident, the platform further reported that the platform is constantly investigating the attack with the Indian Computer Emergency Response Team (CERT-in) and also auditing its security systems against further security threats.
“Our platforms have proper authorization and authentication in place and access to the applications is through HTTPS and servers are behind firewalls which can be accessed through VPN only by authorized teams,” the platform further added.
Also, when the incident was reported to the authorities on December 28, the Railway Board did not name RailYatri when it confirmed the attack on December 30 denying that data were stolen from IRCTC. Along with this, all IRCTC business partners including reselling platforms like RailYatri have been instructed to evaluate their systems.
The government has already proposed its bill in the parliament which was named the ‘Digital Personal Data Protection Bill, 2022’ to take strict actions against a data breach, however, the law is yet to be passed.