IRCTC Fixes Security Bug Which Could Have Put Personal Details Of Lakhs Of Passengers Into Hackers’ Hands

The Indian Railway Catering and Tourism Corporation (IRCTC) has fixed a security bug which could have given hackers to passengers’ personal information, reports Economic Times.

The IRCTC in December 2016 had introduced free travel insurance for everyone who used the IRCTC website or the mobile application to book tickets. The decision allowed third-party insurers to provide insurance coverage of all travellers and put at risk passenger details of travellers. About 6.00,000 train tickets are sold daily through the IRCTC website. Alongside, online ticketing operations, the IRCTC also handles the catering and tourism of the Indian Railways.

It is still unclear if any passenger data was stolen through the bug for two years. The bug was found by Avinash Jain, a security researcher in the IRCTC website and the mobile application link, which provides free travel insurance through a third-party insurance company. He reported the bug to IRCTC on 14 August and was fixed by IRCTC on 29 August.

The bug could have given hackers access to passenger details such as name, age, gender and insurance nominees without their knowledge or consent. “Within 10 minutes (after finding the bug) we were able to read almost 1,000 passenger and nominee information,” said Jain, who subsequently wrote to IRCTC alerting them about the problem.

Jain had estimated the bug left at least 2,00,000 passengers and their nominee details exposed to the attacker. The IRCTC then decided to stop the free but compulsory insurance on 1 September. Now users need to either opt-in or opt-out of the travel insurance.