Railways claims no theft of ‘sensitive’ data from IRCTC website

06 May 2016

Amid allegations of hacking of the Indian Railways Catering and Ticketing Corporation's (IRCTC) e-ticketing portal and massive theft of data of millions of its customers, the railway ministry on Thursday claimed that no ''sensitive data'' posing financial risk has been compromised from the e-ticketing system of IRCTC.

In its preliminary report the ministry said it has ''not found any indication of breach of security in any of the databases of the e-ticketing system,'' adding that, further investigations are on and the expert committee has sought details of the leaked data.

''As soon as the matter came to notice of Railways on 02/05/2016, thorough investigations were conducted to detect veracity of the news, however, no such incident has been detected by the technical teams of Centre for Railway Information Systems (CRIS) and Indian Railway Catering and Tourism Corporation (IRCTC),'' a railway ministry release said.

''No ''Denial of Service attack'' (DoS/DDoS) has been successful and the E-ticketing website has been working normally thereby eliminating any chances of unauthorized interference.  About 5.48 lakh tickets were booked in a single day in April 2016 with 2.66 lakh peak concurrent users.  About 13,600 tickets per minute were booked,'' the release noted.

The release said all components of the e-ticketing system, viz, internet gateway, network security devices such as gateway router and Firewall, Application Delivery Controller, Security Information Event Management System (SIEM) web server and database server access logs, have all been functioning normally.

''Each of the components has been checked and none of the components has been found to have unusual activity.  Technical investigations have also not indicated any unusual activity with respect to various system components,'' it added.

This comes after the Maharashtra cyber security cell alerted the Western Railways early this week of possible theft of massive user profile data and hacking of its system. The Railway Board was immediately apprised by the Western Railway, which, according to officials, held an emergency meeting on 2 May and formed a joint panel of experts with IRCTC and the Centre for Railway Information Systems (CRIS), the IT arm of the railway ministry that maintains the IRCTC website.

The data with IRCTC's e-ticketing system contains sensitive information like debit/credit card details, login ID, passwords, which could cause potential financial risk.

''PAN card detail is not required for booking e-ticket. No sensitive data has been alleged to have been leaked,'' stated a railway ministry release.

Also, it said, other data like mobile number and email-IDs are available with a large number of electronic service providers, e-commerce firms and telemarketers.

E-mail and mobile numbers have to be shared with service providers for providing catering, cab and SMS services, and hotel bookings. Till now, leakage of data through none of the service providers of IRCTC has been established, the statement added.