Search This Blog

Powered by Blogger.

Blog Archive

Labels

Indian Railways Data Breach: 30 Million User Records up for Sale

In addition to user information and bills, some of the stolen data have a due date of December 31, 2022.

 


On Tuesday, December 27, Indian Railways experienced a data breach that compromised the personal information of approximately 30 million people. 

Hackers discovered that 30 million Indian Railway user records were being sold on an online forum by a hacker who used a fake identity. A user known as a "shadow hacker" on the Dark Web was said to have listed user data for sale. However, there is no information regarding the identity of this user. 

According to the hacker, various personal information was compromised, including name, email, phone number, and gender. A user further informed that the data contained several email addresses belonging to government agencies. Research conducted by security researchers has not been able to validate the authenticity of the data or how it was accessed. As of yet, there is no comment from Indian Railways regarding this incident. 

There have been 41.74 million electronic ticket reservations made by the Indian Railway Catering and Tourism Corporation (IRCTC) in the fiscal year 2021-2022, which has resulted in revenue of 38.18 billion Indian rupees from these reservations. 

In this data, you can find your username, email address and verified mobile numbers, gender, city Id, city name, and State Id, as well as your language preference information. The hacker had gathered several records from Indian Railways' databases. These records contained the details of people who had purchased tickets from Indian Railways through emails and phone numbers. 

Additionally, the hacker offered details of the vulnerabilities on the website that he had exploited with the help of the data he had stolen. The website did not specify whether it was the IRCTC booking portal or the website of Indian Railways because this fact was not mentioned. 

Alongside, the hacker alleges that "significant persons" and "government personnel" have been victimized by the theft of their personal information. According to the snapshot of the hacker site where the data was listed for sale, it appears that the hacker site also had the customer's travel and billing records included among the data. 

The hacker claims to have sold only ten copies of the stolen data if his assertions are to be believed. There is still time for more information to emerge regarding the suspected breach as well as professional opinions that are yet to be formed. 

The Indian Railways have not been immune to data breaches in the past, and this is not the first time. Following the data breach that occurred earlier this month in the All India Institute of Medical Sciences (AIIMS) database of patients, there has been another breach reported in the Indian Railways database of customers. 

During the year 2020, nearly nine million Indian railway ticket buyers had their personal information and ID numbers, including their ID numbers, stolen from an online database. In investigating a dark web post by this company, it was discovered that a million users' data had been stolen sometime in 2019.
Share it:

CyberCrime

Data Breach

Indian Railways

IRCTC