tech

User data of more than 900,000 leaked from IRCTC last year, resurfaces on dark web

About 900,000 plus user records leaked from the Indian Railway Catering and Tourism Corporation (IRCTC) has been spotted on the dark web and can be easily downloaded. 

The information in the leak includes users’ full names, mobile numbers, date of birth, gender, marital status, city of origin and state of residence.
The information in the leak includes users’ full names, mobile numbers, date of birth, gender, marital status, city of origin and state of residence. (Pixabay)

A set of user data belonging to more than 900,000 users has been spotted on the dark web by a dark web risk monitoring firm called Cyble. Cyble noted that they came across a post where a user had allegedly claimed that user of data of close to one million people had been leaked sometime in 2019 and shared that data on the DarkWeb community on October 13.

Cyble found out that the 900,000 plus user records belonged to the Indian Railway Catering and Tourism Corporation (IRCTC). IRCTC is a subsidiary of the Indian Railways that handles online ticketing, catering and tourism operations.

Also Read: User data of thousands of adult dating site users leaked globally

Details suggest that the data was exfiltrated by hackers sometime last year and was just being shared again.

The user sharing the data did so without asking for a fee and it appears that he isn’t the one who exfiltrated the data in the first place. Also, there is no mention of whether IRCTC was ever sent a ransom note or was extorted.

Details suggest that the data was exfiltrated by hackers sometime last year and was just being shared again.
Details suggest that the data was exfiltrated by hackers sometime last year and was just being shared again. (Cyble)

The information in the leak includes users’ full names, mobile numbers, date of birth, gender, marital status, city of origin and state of residence.

Data of this kind and this quantity can easily be used for phishing attacks and scams and spam emails/texts/calls. Sensitive data like payment details, home addresses, travel dates etc are not a part of the information in the leak and neither are email IDs, thankfully.

The data dump is easily downloadable and after removing duplicates, Cyble found at least nine lakh unique rows of user information.

In case you have ever used IRCTC to book tickets and want to check if your data is a part of the leak or not, Cyble has acquired and indexed the data on their data breach monitoring and notification platform, AmiBreached.com.
In case you have ever used IRCTC to book tickets and want to check if your data is a part of the leak or not, Cyble has acquired and indexed the data on their data breach monitoring and notification platform, AmiBreached.com. (Cyble)

In case you have ever used IRCTC to book tickets and want to check if your data is a part of the leak or not, Cyble has acquired and indexed the data on their data breach monitoring and notification platform, AmiBreached.com. You can register on the platform to check if your information is in that lot or you can also check it by downloading the mobile application (available on iOS and Android).

Also Read: Over 500,000 Activision accounts hacked, Call of Duty players’ data, password at risk

IRCTC has denied that any such leak has happened so it seems like it must have happened a year ago as Cyble states or even earlier. 

As per NDTV reports, IRCTC spokesperson and PRO Siddharth Singh said that no user data has been leaked and all the data in the leak seems to be of very general nature and something that’s available even on e-commerce portals. IRCTC has also said that this data is a part of a breach that happened five years ago.

Cybersecurity expert Jiten Jain told NDTV that IRCTC could be “partially right” about the data being leaked earlier and it not being a recent incident and that data resurfacing and being resold on the dark web is normal. He also added that IRCTC is currently in denial mode.

However, this means that irrespective of whether the data leaked five years ago or a year ago, IRCTC has not looked into it and the user data is out and available on the dark web.