Yesterday, I published an article about the Indian Railways data leak. After verifying the sample data, I found some active PNRs and passenger details associated with each PNR. The information about the PNR in the leaked data matched the information I got after checking the PNR. It was enough to confirm that the data was correct and belonged to Indian Railways. I had no information on how someone got access to this data. So, I didn’t mention anything about it and mentioned the same thing as claimed by the data seller. Although some other reports based on my article directly linked data to IRCTC. But I didn’t link the data leak to IRCTC. The train journey data and PNR details are actually the Indian Railways data.
After this news became trending, the Indian government denied any data breach from IRCTC servers. So, I again checked the sample data and found some interesting things. It seems now I have discovered who was the real culprit behind this data leak.
As mentioned in the previous article, the leaked data had two endpoints. The first one only includes the personal records of users. The second set of data includes order history.
First of all, let’s check when this data was breached.
The same data also had the date of ticket booking. The most recent ticket was booked on 2022-12-24 i.e. 24th December 2022. It confirms that the data was breached on or after 24th December 2022.
Who was the culprit?
In the sample order history data, I found multiple references to Railyatri. To confirm if the data belongs to Railyatri, I did a further investigation.
I found three railway bookings that were canceled, and a refund was initiated with a refund id. When I checked for those order IDs, the refund history was shown on the RailYatri website and the refund id matched with the refund id in the data set.
The URL to check the refund status was also on the sample dataset. See the snapshot. I just replaced .in with https://www.railyatri.in.
After opening the URL, I found the Railyatri page with the refund status and refund id. See the screenshot. I have removed the order id and refund id from the snapshot for privacy reasons. see journey points. DEC->MHRG. This also matched the data that was in the data set.
There was also invoice_pdf_URL in each record.
After some research, I found where Railyatri stores its PDF tickets. So, I directly opened the ticket PDF URL and got the PDF ticket associated with this order.
In some of the orders, there was also a bus ticket booking along with a train ticket booking. When I checked the bus ticket order, I directly found the PDF URL to download the bus ticket. See the invoice_pdf_url.
I only needed to add the railyatri in the blank space and the PDF invoice was there with the same information that was in the data set. Intrcity smartbus service belongs to Railyatri.
These pieces of evidence are enough to confirm that the Indian Railways data that appeared on the forum for sale actually belonged to Railyatri. The dataset had mostly train ticket records and the seller also claimed it belong to Indian Railways. So, my previous report also claimed the same. But this leaked data links to Railyatri. Someone breached Railyatri’s servers or used a vulnerability on their app to get access to this data dump.
I hope Railyatri will come with a clarification.
Railyatri also suffered a data breach back in 2020 and the breach affected 7 million users. The response from the company to the previous leak was also questionable. It seems the company doesn’t take the security of user data seriously.
