“There has been no hacking of the IRCTC website. No such incident has been detected by the technical teams of the Centre for Railway Information Systems (CRIS) and IRCTC. Technical investigations have also not indicated any unusual activity with respect to various (e-ticketing) system components,” the ministry said.
It said the preliminary report of a six-member committee set up to look into the matter has not found any indication of a breach of security in any of the databases of the e-ticketing system. The ministry promised to carry out further checks once the “purported leaked data” are made available, even as the committee continues to investigations.
However, the ministry said “no Denial of Service (DoS) or DDoS attack has been successful”, fuelling suspicion whether a DDoS attack did occur on the IRCTC website on Tuesday. A DDoS attack is said to have occurred when hackers sitting at multiple locations or operating from multiple servers or identities launch a simultaneous and coordinated attack on a particular website or machine to bring it down.
“The main motive of a DDoS attack is to make the chosen machine or website unresponsive through multiple bad requests,” a software engineer who did not wish to be identified explained. “This is different from a DoS attack, where it is launched by a hacker from a single location or server,” he added.
The official statement also said the gaps reported by Standardisation Testing Quality Certification Directorate (STQC), an arm of the Department of Electronics and Information Technology, in their penetration testing have been addressed, implying the presence of such gaps. IT security of the e-ticketing system is ensured through security audits conducted by STQC.
“Audit trails are maintained for access to the system and all sensitive data like passwords are stored in encrypted form. In addition, round-the-clock monitoring is done by a team of experts. Strict physical checks are already in place in the Data Centre, including restricted access and CCTV cameras,” the rail ministry said.
Indian Railways’ e-ticketing system stores two kinds of data, sensitive information including credit card details, login id and passwords which can cause financial risk in case of leakage, and other data such as mobile numbers and email ids. The ministry said no sensitive data have been leaked and other data sets (mobile number, email ids) are available with multiple electronic service providers, including e-commerce firms and telemarketers. So far, leaks through service providers of IRCTC have not been established.
Experts said the government’s efforts at containing cyber attacks are wanting. “The kind of proactive focus the government needs to focus on cyber security breaches is not there. Denial of hacking is not a solution. IRCTC needs to investigate what sort of due-diligence was done to prevent such an attack. The country is sourly missing a dedicated cyber security legislation,” said Pavan Duggal, an advocate who specialises in Cyberlaw and E-Commerce law.
The latest case began with the Inspector General (IG) of Maharashtra’s Cyber Cell informing the chief commercial manager (CCM)-Western Railways on Tuesday that large volumes of data belonging to users may have been compromised. The CCM, in turn, informed the Railway Board, which called an emergency meeting and decided to form the high-level committee.
IRCTC has a combined user base of 10 million and around 500,000 tickets are sold on its portal every day. The railways’ e-ticketing arm has now requested the IG-Cyber Cell, Maharashtra, to share the data sets or complaints that have triggered the investigation to ascertain the source of the hack. IRCTC Managing Director A K Manocha, who attended Tuesday’s emergency meeting, has written to Delhi Police’s Cyber Cell to look into the matter.