IRCTC hacked? One crore customers' data on the line


The Indian railways are considered to be the lifeblood of India, with lakhs of people relying on the system for their travel plans. IRCTC is estimated to be India's largest e-commerce platform because of the sheer volume of bookings done everyday. But in what could be the biggest hack in India, a recent TOI report indicates that data of around 1 crore customers seem to have been compromised and stolen from the IRCTC servers.

Security should be a top priority as lakhs of customers provide Pan Card numbers, Aadhaar card details, email ids, mobile numbers and other personal details while filling up online reservation forms. An IRCTC source said to TOI, "The data is a valuable asset and can be sold to corporations who may use it for targeting potential consumers."

There are also rumours on social media that the hacked data is being sold on CDs for INR 15k. IRCTC on their part though states that there has been no hack attempts and data has not been compromised.

Because of the massive volume of confidential data, IRCTC sees a lot of interest from hackers and fraudsters. Just over a week ago, India Today reported that a man in Eastern UP was arrested by CBI and railway's vigilance department for hacking the IRCTC website and making lakhs of rupess by selling fake tickets.

Is IRCTC not keeping up with the times?

These reports would definitely put a lot of questions in the mind of the Indian population about IRCTC's technical chops and their ability to protect user data. Speaking to YourStory, Shikhil Sharma, CEO of Czar Securities stated,

Its not that the government hasn't been taking steps to secure their websites. I think till the time any forensics report comes out, the government should be given benefit of the doubt. Looking at recent patterns, it seems like these are targeted hack attempts on IRCTC. This hack is a big alarm for startups, small or big, to take security seriously from day one.

Related read: ‘What will you do for my website’s security?’ Asked no startup CEO ever!

IRCTC though has been quite pro-active in recent times. Most recently in April, it had tied up with Gurgaon based Simpli5d Technologies to power NLP captchas on its ticket booking website, reported ET. Amit Mittal, CEO, Simpli5d Technologies had said in the report,"IRCTC handles over one million ecommerce transactions a day and over 100 million captchas are solved on the platform every month, which will be replaced by NLP Captchas."

Traditional captchas which are commonly used, give word/number based challenges to users. But hackers soon found a way around them. Shikhil explained to YourStory, "Then google's re-captcha came which introduced machine learning to detect if a user is a hacker or bot. Google recaptcha was very user friendly. Now this NLP Based Captcha is a pathbreaker. Apart from using Natural Language Processing they are integrating advertising inside the captcha content. So, NLP captcha makes money and also utilizes technology to fight hackers."

A senior IRCTC official had told ET,

At IRCTC, security and user experience are the most critical concern for us and at the same time we look for new avenues of revenue other than the core business of ticketing. NLPCaptcha fits in beautifully into all this - it provides better security, enhanced user experience and an altogether new stream of advertising revenues for IRCTC.

Next steps?

The Railway Board, which manages Indian Railways has formed a high-level six member committee of experts to look into the case, reports Business Standard. A senior IRCTC official said in the report,

We cannot comment until we have seen the data that has been leaked. We will be able to substantiate any claim of data hack or theft only after we have seen the data and checked whether it belongs to the IRCTC website or some other source.

The findings of the committee will be much awaited as this unconfirmed hack is potential to affect millions of individuals' data.