Indian Railways and Tourism Corporation (IRCTC) is facing strenuous time to manage the safety and security of its online ticket booking website www.irctc.co.in. Earlier in the day many media publications jumped the gun to report about the possible hack of Indian Railways and Tourism Corporation (IRCTC) website. However, the official later denied the claim, albeit accepted that the personal Information of around 10 million customers is stolen.
The hackers have allegedly gained access to sensitive personal information including Aadhaar card details, PAN card number, mobile phone numbers and email IDs. However, the credit and debit card information about the 10 million customers were safeguarded as banks divert the payments to their secure platforms. It is also being reported that the personal details of those 10 million customers are up for sale in a form of CD for Rs. 15,000 (US$240).
“IRCTC website was not hacked and is functioning properly,” Sandip Dutta, IRCTC public relations officer, said today, adding that passengers will have no problem booking tickets online.
The matter came to light when Inspector General (IG) of Maharashtra’s Cyber Cell informed Chief Commercial Manager (CCM) of Western Railways about the leakage of data on Tuesday. Later a committee was formed soon after the CCM informed the Railway board about the leak. The committee includes 3 members from Centre for Railway Information System (CRIS), the IT arm of the Indian railway ministry, and 3 members from IRCTC.
Approximately 500,000 tickets are booked via IRCTC website every day. Therefore, the topmost concern revolves around the customer’s bank account details which include his/her credit and debit card details. Fearing this, IRCTC’s Managing Director has written to Delhi Police’s Cyber Cell to have a deeper insight into the matter.
“We cannot comment until we have seen the data that has been leaked. We will be able to substantiate any claim of data hack or Theft only after we have seen the data and checked whether it belongs to IRCTC website or some other source” said a senior IRCTC official.
A casual affair for the hackers
This is not the first time Indian Railways website has been targeted by hackers. A month ago Al Qaeda shocked Asia’s largest rail network by hacking a microsite of Indian Railways Railnet page. For a short duration, the terror group bombarded the site with messages persuading Indian Muslims to join Jihad then.
In another incident, a man was also arrested from Basti in Eastern Uttar Pradesh who was allegedly creating fake tickets by hacking into IRCTC’s website. A team comprised of officials from CBI’s Bengaluru branch and Central Railway camped for 3 days in Basti to track the man off.
The number of website hacking incidents in India seems on consist rise and is posing a direct threat to government’s cyber security efforts. Around 8,056 incidents of website hacking has been reported until March 2016 whereas 28481, 32323 and 27205 website hacking incidents were reported during 2013, 2014 and 2015 respectively.
The list of cyber crimes in India is also far from the end. Symantec’s latest Internet Security Threat Report (ISTR) shows the dismal state of India’s cyber security. The major security concern for India’s cyber security is the social media scams that have risen 156% between 2014 and 2015. In layman’s term, one out of six scams on social media impacted an Indian.
Indian organizations suffered the most by cyber attacks in 2015 and the country was the 6th most targeted in Asia. The targeted firms were attacked twice on an average. Mining and BFSI businesses were targeted very frequently by the attackers.
The obsolete cybercrime laws of India are the prime reasons behind the successful hacking attempts. For an example, the laws for the smartphone are not laid separately and are ought to be treated under computer, while smartphones and computers are two poles apart.
The recent report by Symantec shows us the pathetic state of cyber security in India and lack of efforts put in by the Indian government to counter the cybercrime over the years. While the numbers of cybercrime are already staggering there are many incidents that remain unnoticed and unreported.
UPDATE: 6 May 2016: IRCTC has come out with more clarification today. In a tweet to us IRCTC has claimed that while the website was never hacked, there is no track of possible data leak of 10 million customers till now. However, the joint team of CRIS and IRCTC is still investigating the matter to verify if there was any data leak. IRCTC has also insisted on the fact that data up for sale is only non-sensitive data, i.e. email id, phone number etc., and can be captured through other sources as its available with many startups and companies, such as e-commerce companies, app based cab service providers etc. You can read the complete release from IRCTC below: