Railways dismisses reports of data leak from IRCTC website

Railways today dismissed reports about the leak of email and mobile numbers from user profile data of Indian Railway Catering and Tourism Corporation's (IRCTC) e-ticketing system and said everything is safe and secure.
There is no hacking nor any leakage of IRCTC ticketing website and everything is safe, Railway Board Member (Traffic) Mohd Jamshed told PTI.
He was replying to a query about reports citing cyber officials in Maharashtra regarding alleged leak of email and mobile numbers from user profile data of IRCTC e-ticketing system.
He said the security system has already been reviewed twice in the recent past.
Railways constituted a committee comprising cyber experts and vigilance officials from IRCTC and Centre for Railway Information Systems (CRIS) on May 3 to check the possible theft of data and found no such case.

"The committee has submitted the preliminary reports and there is no leakage. We are constantly monitoring it," Jamshed said.

The e-ticketing system is managed in-house by CRIS, the IT arm of Indian Railways. The data centre is in the premises of CRIS.
According to Railways, the report of possible theft of data came to light on May 2 and a thorough investigation was carried out to ascertain its veracity.
However, no such incident was detected by technical teams of CRIS and IRCTC.
The data of e-ticketing system can be broadly divided into two categories - sensitive information like debit/credit card details, login ID, passwords, which could cause potential financial risk. PAN card detail is not required for booking e-ticket.

No sensitive data is alleged to have been leaked.
It is clarified that other data like mobile numbers and email ids is available with a large number of electronic service providing entities such as e-commerce firms and telemarketers.
Email and mobile numbers have to be shared with service providers for providing catering services, cab services, hotel bookings, SMS services etc. Till now, leak of data through none of the service providers of IRCTC has been established.
According to IRCTC, about 5.48 lakh tickets were booked
in a single day in April, 2016 with 2.66 lakh peak concurrent users which means about 13,600 tickets were booked per minute.

The e-ticketing system has several components viz. internet gateway, network security devices such as gateway router and Firewall, Application Delivery Controller, Security Information Event Management System (SIEM) web server and database server access logs.
According to railways, each component has been checked and none of them has been found to have any unusual activity. Technical investigations have also not indicated any unusual activity with respect to various system components.
The IT security of e-ticketing system is ensured through regular security audits by Standardization Testing Quality Certification (STQC) Directorate of Department of Electronics and IT.
IRCTC CMD AK Manocha said auditing is an ongoing process and security audit of e-ticketing system is undertaken biannually.

Audit trails are maintained for access to the system and all sensitive data like passwords are stored in encrypted form.
"24x7 monitoring of the system is done throughout the year by technical team of experts. Strict physical checks are already in place in the data centre like restricted access to data centre, CCTV cameras at entry and exit points of data centre," Manocha said.