Update 1: We updated the article after Indian Railways issued an official statement.
Update 2: The data dump up for sale belongs to RailYatri [Read Details]
It seems Indian Railways recently suffered a data breach. Data belonging to Indian Railways is up for sale on a hackers’ forum. This forum is mostly used by cybercriminals for selling breached data and hacked accounts. A person with the username shadowhacker has posted the data of 30 million Indian Railways users on the portal for sale. The threat actor is also providing a sample database in plain text format. So, interested buyers can verify the data before the payment.
The breached data has two endpoints. One includes user data and the second one includes booking data. The user data includes username, email, phone number, gender, city, state, and language preference. In the booking data, it has the passenger’s name, mobile, train number, Tavel details, invoice PDF, and some other information.
I downloaded the sample user data and booking data to see if the records are legit. In the booking data, I found records of recent and upcoming journeys. When I checked the PNR data of a few records, It matched the records in the sample data. So, I can certainly say that the records were breached recently and are true. Here’s a sample screenshot of the data and what I found after PNR verification.
As per the listing, the seller is only providing 5 copies of the data and is charging $400 per copy. If someone wants to get exclusive access, he will have to pay $1500 and data will only be given to him. The seller also claims to provide the data and vulnerability detail for $2000.
The seller disclosed that he used a vulnerability to obtain the data but didn’t mention anything about the vulnerability.
After our initial reporting, several media houses also reported the same. So, the Indian Railway has issued an official statement. It claims that the data is not from the IRCTC servers.
“On analysis of sample data it is found that the sample data key pattern does not match with IRCTC history API. Reported/suspected data breach is not from the IRCTC servers,” it said.
We also didn’t mention that the data was accessed from official IRCTC servers. But the shared records had some active PNRs. So, the data actually belong to Indian Railways. Not sure if it was accessed from partner apps that are also allowed to book Train tickers.
Here it is worth noting that the data of Indian Railways passengers was also leaked back in 2019. That breach affected over 2 million records. I am not sure if the current data leak has some connection with the previous one.
A person with malicious intent can use this data to perform social engineering attack against the affected customers to further harm them financially.
