IRCTC May Have 2 Lakh Passengers' Data Exposed To Hackers For Almost 2 Years

IRCTC is a mobile application that connects to third-party insurers for free travel insurance. IRCTC introduced the service in December last year. The IRCTC site is thought to have a vulnerability that could allow hackers to steal data of passengers.

According to ET, IRCTC has announced that they have fixed a huge security bug after nearly two years of loose. In particular, the bug may have exposed at least 2,00,000 (2 lakh) passengers and allowed attackers to approach their details, though it's not clear if hackers did access to the data or not.

Free travel insurance is compulsory for those who buy tickets through the IRCTC's site or phone app. Accordingly, the information of these travel insurance applicants will be forwarded to a third insurance company in cooperation with the IRCTC to ensure customers in accordance with regulations.

Earlier on August 14th, network security researcher Avinash Jain discovered and reported the bug to the company. Then on the 29th of the same month, the IRCTC learned and corrected the error.

Jain responded to the ET reporter that in just 10 minutes, he was able to read personal information as well as the schedule of nearly 1,000 passengers and candidates.

Meanwhile, the site handles around 6,00,000 (6 lakh) tickets each day. So Jain can calculate at least 2,00,000 (2 lakh) of passenger information and the details of the ticket holder are public because one of the three insurance companies can enter.

Gurunatha Reddy Gopireddy, who co-research Jain on seeking for the flaw, told ET: 

Obviously, Royal Sundaram General Insurance and ICICI Lombard General Insurance are the two remaining insurance companies without the fault. Funny, IRCTC announced that they had fixed the bug on August 29, but the company has stopped compelling customers to join the free travel insurance service from September 1, you can now choose whether to opt for travel insurance when booking on IRCTC.