Indian Railways Says It's Not Source of Alleged Data Breach30 Million Purported Passenger Records Listed for Sale on Cybercrime Forum
A cybercrime forum this week listed for sale what a seller purports to be 30 million passenger records for users of India's railways, including names, email addresses, phone numbers and more. But the Indian Ministry of Railways has denied that it is the source of any data breach.
Threat intelligence firm Cyble reports that it's unclear if the data is legitimate.
After analyzing a sample of the data, the Ministry of Railways said that if the data is legitimate, then it was not stolen from the Indian Railway Catering and Tourism Corp. The IRCTC is a wholly owned subsidiary of the Indian Railways, Ministry of Railways and government of India, and has assets worth $410 million.
The IRCTC's web portal and Rail Connect mobile applications for Android and iOS devices are widely used. They handled 80% of all reserved tickets booked on Indian Railways from April 2021 through March 2022. The IRCTC's systems are also available via a variety of application programming interfaces, but officials say the data does not appear to have been harvested via these APIs.
"It was found that the sample data key pattern does not match with IRCTC history application programming interface," a ministry spokesperson says.
The railway's board of directors has alerted the Indian Computer Emergency Response Team to the incident and says CERT-In is investigating.
"All IRCTC business partners have been asked to immediately examine whether there is any data leakage from their end and apprise the results along with corrective measures taken to IRCTC," the spokesperson said.
The Breach Claim
A user of cybercrime site Breach Forums using the handle "shadowhacker" first posted the data Monday, claiming it had been stolen from "one of the biggest railway databases in India" and contained 30 million Indian railway users' records and invoices.
The alleged database includes personally identifiable information such as names, email addresses, phone numbers and gender, as well as additional profile details such as users' city and language preferences, according to the sample data posted to Breach Forums and reviewed by Information Security Media Group. Users' travel history - including their passenger name, record number, train number and destination - are also apparently included in the exfiltrated data.
The hacker shared two sets of data - one containing 106 records and the other 22 records - from the data leak to substantiate their claims.
"The data set seems to be fresh as some records from the data sample are from the month of December 2022," Indian news agency Times Now reports.