Alleged IRCTC hacking could turn out to be India's biggest data heist


IRCTC_01Social media was abuzz on Thursday over reports that the Indian Railway Catering and Tourism Corporation (IRCTC) website had been hacked and apprehensions that personal data of around 10 miIlion customers could have been stolen from the server of India's biggest e-commerce player, which sees more than 18 crore train tickets booked a year.

An official statement issued by the ministry of railways later in the day said thorough investigations had been conducted but no such hacking incident has been detected by the technical teams of Centre for Railway Information Systems (CRIS) and IRCTC.

The IRCTC e-ticketing system is managed in-house by CRIS, the IT arm of Indian Railways. The data centre is in the premises of CRIS.


It said that till now, leakage of data through none of the service providers of IRCTC has been established.

"A Railway committee set up couple of days back, in its preliminary report has not found any indication of breach of security in any of the databases of the e-ticketing system," it said. It, however, added that further investigations by this committee is in progress and once the purported leaked data is made available, further checks would be conducted.

While the IRCTC has denied any hacking and said that it is probing the alleged data sale, if it turns out to be true, it could be the biggest data theft ever in India's history.


Earlier in the day, The Times of India reported that the Maharashtra cyber cell had informed IRCTC about a potential data theft.

However, IRCTC public relations officer Sandip Dutta denied any such breach in its systems. Responding to every mention of the data breach on Twitter, IRCTC replied: "IRCTC website has not been hacked. Enquiry is being conducted regarding alleged data sale."

News portal News18.com quoted Dutta telling television channel CNN-News18 that the website is "absolutely fine' and passengers need not worry. "Three days ago, IB cyber cell, Mumbai informed us that some data in the name of IRCTC is in circulation," he said. "We set up a committee which is probing this. Railway Board is waiting for a copy of the data to be shared by Cyber Cell; only then can we ascertain if it was indeed our data. So far, it has not been established," he added.


Passengers need to share their mobile numbers and email ids for registering on the IRCTC site. Users are also asked to provide their debit/credit card and Aadhar card details while booking tickets. According to information on its website, IRCTC has a user-base of 39 million, and sells 500,000 tickets every month, with 50 million daily visitors.

The Times of India quoted an IRCTC source as saying, "Somebody can create forged documents on the basis of the stolen data. The data is a valuable asset and can be sold to corporations who may use it for targeting potential consumers."

The data hacking case comes a week after a joint team of the Bangalore branch of the Central Bureau of Investigation (CBI) and Western Railways Vigilance Department arrested a man from Basti in eastern Uttar Pradesh for hacking into the IRCTC website to create fake tickets that were to be sold to a network of agents across the country, according to a Business Standard report.


The rate at which cyber crime in India is growing is very alarming. And, with increasing use of IT-enabled services such as e-governance, online business and electronic transactions, protection of personal and sensitive data has become very important. In the first three months of 2016 (January-March 2016), as many as 8,056 website hacking incidents were reported, according to a government statement tabled in Parliament on Wednesday.

"Over a period, the nature and pattern of incidents have become more sophisticated and complex," Communications and IT minister Ravi Shankar Prasad was quoted by PTI as saying.

Like this story? Sign up for our daily newsletter to get more of our best stories.


Sign up for Newsletter

Select your Newsletter frequency