Indian Railway Catering and Tourism Corporation (IRCTC) has taken down temporarily the services of Bajaj Allianz and Liberty General Insurance from its platform after noticing a vulnerability on the insurers' websites that put the personal data of passengers at risk.
By virtue of its status as a Railway Public Sector Undertaking (PSU), IRCTC has a monopoly over train ticket booking in the country. The insurance companies provide travel insurance to passengers that book their train and flight tickets through IRCTC. The e-ticketing major books nearly 1.2 million train tickets a day.
The vulnerability was discovered by researchers Avinash Jain and Aseem Shrey.
According to Jain, the vulnerability called IDOR (insecure direct object reference) allowed anyone to extract passenger information, including name, journey details, phone number, gender, age and the name of the passenger's nominee for insurance pay-out.
"Within just a few minutes, thousands of passengers' details were on our screens," Jain said. "The simplicity of this vulnerability and its impact makes it highly critical. We could have access to millions of passengers' information in a few hours."
According to officials in the know, the website of these two insurance companies were allowing access to the passenger details to anyone who had the Passenger Name Record (PNR) details. "There were no checks in place to verify the antecedents of the person accessing passenger or nominee data," senior officials in the know said.
IRCTC said the security lapses were not at its end. It has further put the integration with these insurance companies on hold after the incident came to notice, an IRCTC spokesperson said in an emailed statement. "Insurance services through these companies will be restored only after putting additional check at their websites has been done to the satisfaction of IRCTC."
Cyber security activist NS Nappinai, a Supreme Court advocate called it a serious issue.
"Platforms have to be made accountable for the data they collect, store or analyse," said Nappinai, who is also the founder of Cyber Saathi, an initiative focusing on cyber safety. "Whilst India has seen many instances of data breaches there have not been sufficient prosecutions or penalties to act as a deterrent."
When reached, Bajaj Allianz and Liberty confirmed the vulnerability.
"At Bajaj Allianz General Insurance, we truly value our customers' data and privacy and we take cognisance of the vulnerability and are looking into it immediately," Sourabh Chatterjee, Senior President & Head-IT, Web Sales, Travel at Bajaj Allianz said in an emailed statement.
A Liberty Insurance spokesperson in a statement said: "The reported gap has been closed and we continue to collaborate with IRCTC to further enhance the security features." The complete statement has been reproduced below -
"Liberty General Insurance has a strong defence-in-depth approach to secure all our critical IT assets against cyber threats and protect customers' data. We are continuously and actively conducting vulnerability testing of the IT infra and applications, to proactively mitigate identified vulnerabilities. In the matter under reference, we would like to reiterate that no personal information of the passengers like email ID, telephone number, address, date of birth etc. were compromised. Once the matter was brought to our notice we immediately used the inputs received to further strengthen our security controls. We continue to work diligently on protecting our customers and partners from ever-evolving developments in a very dynamic cyber environment."
By virtue of its status as a Railway Public Sector Undertaking (PSU), IRCTC has a monopoly over train ticket booking in the country. The insurance companies provide travel insurance to passengers that book their train and flight tickets through IRCTC. The e-ticketing major books nearly 1.2 million train tickets a day.
The vulnerability was discovered by researchers Avinash Jain and Aseem Shrey.
According to Jain, the vulnerability called IDOR (insecure direct object reference) allowed anyone to extract passenger information, including name, journey details, phone number, gender, age and the name of the passenger's nominee for insurance pay-out.
"Within just a few minutes, thousands of passengers' details were on our screens," Jain said. "The simplicity of this vulnerability and its impact makes it highly critical. We could have access to millions of passengers' information in a few hours."
According to officials in the know, the website of these two insurance companies were allowing access to the passenger details to anyone who had the Passenger Name Record (PNR) details. "There were no checks in place to verify the antecedents of the person accessing passenger or nominee data," senior officials in the know said.
IRCTC said the security lapses were not at its end. It has further put the integration with these insurance companies on hold after the incident came to notice, an IRCTC spokesperson said in an emailed statement. "Insurance services through these companies will be restored only after putting additional check at their websites has been done to the satisfaction of IRCTC."
Cyber security activist NS Nappinai, a Supreme Court advocate called it a serious issue.
"Platforms have to be made accountable for the data they collect, store or analyse," said Nappinai, who is also the founder of Cyber Saathi, an initiative focusing on cyber safety. "Whilst India has seen many instances of data breaches there have not been sufficient prosecutions or penalties to act as a deterrent."
When reached, Bajaj Allianz and Liberty confirmed the vulnerability.
"At Bajaj Allianz General Insurance, we truly value our customers' data and privacy and we take cognisance of the vulnerability and are looking into it immediately," Sourabh Chatterjee, Senior President & Head-IT, Web Sales, Travel at Bajaj Allianz said in an emailed statement.
A Liberty Insurance spokesperson in a statement said: "The reported gap has been closed and we continue to collaborate with IRCTC to further enhance the security features." The complete statement has been reproduced below -
"Liberty General Insurance has a strong defence-in-depth approach to secure all our critical IT assets against cyber threats and protect customers' data. We are continuously and actively conducting vulnerability testing of the IT infra and applications, to proactively mitigate identified vulnerabilities. In the matter under reference, we would like to reiterate that no personal information of the passengers like email ID, telephone number, address, date of birth etc. were compromised. Once the matter was brought to our notice we immediately used the inputs received to further strengthen our security controls. We continue to work diligently on protecting our customers and partners from ever-evolving developments in a very dynamic cyber environment."
(Catch all the Business News, Breaking News Budget 2024 News, Budget 2024 Live Coverage, Events and Latest News Updates on The Economic Times.)
...moreDownload The Economic Times News App to get Daily Market Updates & Live Business News.
(Catch all the Business News, Breaking News Budget 2024 News, Budget 2024 Live Coverage, Events and Latest News Updates on The Economic Times.)
...moreDownload The Economic Times News App to get Daily Market Updates & Live Business News.
Get Unlimited Access to The Economic Times
