A suspected massive data hacking case has sent the Railway Board, which manages Indian Railways, in a tizzy. The Board has formed a high-level six member committee of experts to look into the case where personal data of around 10 million users on the IRCTC website, India’s largest e-commerce portal, is suspected to have been hacked and sold.
Officials suspect the massive data hacking may have involved personal information of users including PAN card numbers, Aadhaar card details, email ids and mobile numbers — immensely valuable set of information for telemarketing companies in the digital age.
“We cannot comment until we have seen the data that has been leaked. We will be able to substantiate any claim of data hack or theft only after we have seen the data and checked whether it belongs to the IRCTC website or some other source,” said a senior IRCTC official.
A senior official from the rail ministry informed the board is investigating into whether the case involves data hacking or an internal leakage, which, if correct, would be a more worrisome issue.
The case began with the Inspector General (IG) of Maharashtra’s Cyber Cell informing the Chief Commercial Manager (CCM) — Western Railways on Tuesday that large volumes of data belonging to users may have been compromised. The CCM, in turn, informed the Railway Board which called an emergency meeting and decided to form a committee, including three members of IRCTC and three from Center for Railway Information Systems (CRIS), the rail ministry’s IT arm.
IRCTC has a combined user base of 10 million and more than 500,000 tickets are sold on the e-ticketing portal every day. The Indian Railways’ e-ticketing arm has now requested the IG-Cyber Cell of Maharashtra to share the data sets or complaints that have triggered the investigation to ascertain the source of the hack or the leak.
Meanwhile, IRCTC’s Managing Director, who attended Tuesday’s emergency meeting, has written to Delhi Police’s Cyber Cell to look into the matter. Officials are reportedly concerned over the possibility of users’ credit card details or bank details having been compromised.
The website of IRCTC asks users to share mobile numbers and email ids during registration for booking tickets. However, for credit card and bank account details, the users are directed to the website of the banks which generally deploy more secure firewalls.
The data hacking case comes a week after a joint team of the Bengaluru Branch of the Central Bureau of Investigation (CBI) and Western Railways Vigilance Department arrested a man from Basti in Eastern Uttar Pradesh for hacking into the IRCTC website to create fake tickets that used to be sold to a network of agents across the country.
Rail minister Suresh Prabhu had last month ordered a Cyber audit of all the online systems of India Railways to make railways’ IT system foolproof.