How a free travel insurance offer on the Indian Railways website left data of 200,000 passengers exposed to hackers for two years

How a free travel insurance offer on the Indian Railways website left data of 200,000 passengers exposed to hackers for two years

  • The Indian Railway Catering and Tourism Corp’s (IRCTC) website, used to book railways tickets digitally, exposed data of 200,000 users.
  • The railway department was unaware of the bug for the past two years in a massive data breach.
  • Although, the bug has been fixed but it is still not known if the information was stolen by any hackers.

A potential security bug in the Indian Railways’ website exposed the data of as many as 200,000 passengers who used its website to book train tickets in India, Economic Times reported.

The website glitch involving a free travel insurance policy of railways could have given hackers unauthorised access to personal information of the traveler including name, age, gender and insurance nominees, according to the report.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More
The incident began in 2016 when Indian Railway Catering and Tourism Corp’s (IRCTC) launched a provision of free travel insurance for people who used its website or mobile application to book train tickets. The provision permitted users to avail insurance coverage through third-party insurers, risking their their personal details in return because of the bug.

Neither the Railways nor any other government organisation was aware of the vulnerability until Avinash Jain, a security researcher, identified the bug and alerted IRCTC in August this year. According to Economic Times, the issue was acknowledged and fixed by Indian Railways soon after the researcher warned the railways about the bug.


Jain claimed that he was able to fetch data of around 1,000 passengers in just ten minutes.

To be sure, it is unclear if the data risked by IRCTC has been improperly accessed or misused by any cyber attacker.

The risks of digital?

According to IRCTC’s annual report 2016-17, 62% of the reserved railways tickets in India are booked online. Additionally, more than 570,000 tickets are booked using the website or mobile application. Given the significant amount of passenger information IRCTC hold, the glitch would have resulted in a massive data breach.

And while the rapidly-changing IT-infrastructure has eased many government operations but it has also, in some cases, resulted in higher cyber security threats.

Cyber attacks have been on the rise in India and the Indian government is expecting a further increase in number of attacks in 2018, said a recent report by the Hindustan Times.

The Computer Emergency Response Team (CERT) which monitors the cyber security incidents in India have reported 53,081 cases of cyber threats in India, reported Economic Times.

According to CERT, In 2017, there were over 53,000 cyber attacks in India. Whereas, the cases reported in 2016 were around 50,000.

A recent study by F-secure claimed that India witnessed over 695,000 cyber attacks in just six months.

The Indian government, for its part, has said it is planning to revise its cyber security policy to deal with cyber attacks and protect sensitive information.