You are here: Home » Current Affairs » News » National
Business Standard

Railway ministry denies IRCTC hacking

IRCTC has a combined user base of 10 million and around 500,000 tickets are sold on its portal every day


Sudheer Pal Singh & Karan Choudhury  |  New Delhi 

IRCTC's PRO says website not hacked, probe on

The railway ministry on Thursday sought to allay users' concerns about reports of alleged hacking of the Indian Railway Catering and Tourism Corporation (IRCTC) website.

“There has been no hacking of the website. No such incident has been detected by the technical teams of the Centre for Railway Information Systems (CRIS) and Technical investigations have also not indicated any unusual activity with respect to various (e-ticketing) system components,” the ministry said.

It said the preliminary report of a six-member committee set up to look into the matter has not found any indication of a breach of security in any of the databases of the e-ticketing system. The ministry promised to carry out further checks once the “purported leaked data” are made available, even as the committee continues to investigations.

However, the ministry said “no Denial of Service (DoS) or DDoS attack has been successful”, fuelling suspicion whether a DDoS attack did occur on the website on Tuesday. A DDoS attack is said to have occurred when hackers sitting at multiple locations or operating from multiple servers or identities launch a simultaneous and coordinated attack on a particular website or machine to bring it down.

“The main motive of a DDoS attack is to make the chosen machine or website unresponsive through multiple bad requests,” a software engineer who did not wish to be identified explained. “This is different from a DoS attack, where it is launched by a hacker from a single location or server,” he added.

The official statement also said the gaps reported by Standardisation Testing Quality Certification Directorate (STQC), an arm of the Department of Electronics and Information Technology, in their penetration testing have been addressed, implying the presence of such gaps. IT security of the e-ticketing system is ensured through security audits conducted by STQC.

“Audit trails are maintained for access to the system and all sensitive data like passwords are stored in encrypted form. In addition, round-the-clock monitoring is done by a team of experts. Strict physical checks are already in place in the Data Centre, including restricted access and CCTV cameras,” the rail ministry said.

Indian Railways’ e-ticketing system stores two kinds of data, sensitive information including credit card details, login id and passwords which can cause financial risk in case of leakage, and other data such as mobile numbers and email ids. The ministry said no sensitive data have been leaked and other data sets (mobile number, email ids) are available with multiple electronic service providers, including e-commerce firms and telemarketers. So far, leaks through service providers of IRCTC have not been established.

Experts said the government’s efforts at containing cyber attacks are wanting. “The kind of proactive focus the government needs to focus on cyber security breaches is not there. Denial of hacking is not a solution. IRCTC needs to investigate what sort of due-diligence was done to prevent such an attack. The country is sourly missing a dedicated cyber security legislation,” said Pavan Duggal, an advocate who specialises in Cyberlaw and E-Commerce law.

The latest case began with the Inspector General (IG) of Maharashtra’s Cyber Cell informing the chief commercial manager (CCM)-Western Railways on Tuesday that large volumes of data belonging to users may have been compromised. The CCM, in turn, informed the Railway Board, which called an emergency meeting and decided to form the high-level committee.

IRCTC has a combined user base of 10 million and around 500,000 tickets are sold on its portal every day. The railways’ e-ticketing arm has now requested the IG-Cyber Cell, Maharashtra, to share the data sets or complaints that have triggered the investigation to ascertain the source of the hack. IRCTC Managing Director A K Manocha, who attended Tuesday’s emergency meeting, has written to Delhi Police’s Cyber Cell to look into the matter.

Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

First Published: Fri, May 06 2016. 00:35 IST