IRCTC Selling User Email IDs To Spammers And Here Is The Proof

18

I saw an interesting tweet from a friend today on my Twitter timeline which said, “Apparently IRCTC is selling its email database to spammers. Getting SPAM on my irctc-only email address”.

I was quite surprised by this, because IRCTC is a big huge government organization, and a bureaucratic one too. For IRCTC, as a organization, to sell user email IDs to marketers or spammers is something I could not believe. So, I decided to dig further.

After having conversation with Navin, it became quite clear that the email ID on which he received the unsolicited email was used for nothing else apart from IRCTC account registration .

Many users who value their privacy generally use different custom email IDs for registering on different websites (they do it by way of catch-all email functionality, where prefix of mail could be anything and yet all mails arrive at same mailbox), so when they receive any spam on a particular ID, they immediately know the source from where the email ID has been leaked.

In this case it was the ID specifically created for IRCTC:  Look at all 3 screenshots given below. All the emails have been sent to – [email protected]the email that was created for IRCTC registration. This email was not used elsewhere for any other purposes.

Unsolicited Spam Email From MyDirectMailbox

Email 1

Unsolicited Spam Email From Indian National Congress

Email 2

Unsolicited Spam Email From Shop Online India

Email 3

Navin confirmed to us that he has received approx 6 such spam emails in last few months.

  • SHOP India Online (2 mails so far)
  • One from a random Fixed Deposit Scheme
  • And most interestingly, from Indian National Congress (3 mails so far)

It is quite safe to say that it was not one-off instance and clearly a case where his IRCTC email ID was sold (or shared) to marketers.

Now, just to make sure that IRCTC does not have permission of sharing users’s email IDs, we went through the terms and conditions as well the privacy policy of IRCTC website. It clearly states that they do not collect any information. Here is the link and screenshot of what IRCTC website says:

IRCTC terms and Conditions

Forget about sharing the email ID, the privacy policy mentions that they do not even collect any unique information about users such as your name, email address etc.

Now, I do not know who has drafted this privacy policy, but they clearly do collect user’s email addresses, name and some other personal information as well (How else would they show it in user account everytime they login)! However, they also clearly mention that IRCTC will not share your personal data with advertisers, business partners, sponsors, and other third parties without your express consent. 

Does IRCTC sell registered user Email IDs?

We surely have a clear proof that IRCTC email address is compromised, but the question is whether IRCTC themselves do it?

In our view, it is nearly impossible for a govt organization to do anything of this sort. But think about people working inside IRCTC. The system administrators or the software engineers or anyone who has access to the database. They have access to millions of email addresses and that is a potential gold mine and easy money!

In all probability, IRCTC employees having access to user database are responsible for email ID compromise.

Having said that, from user perspective, it is IRCTC who is responsible for the breach and not any one single employee (and hence the title)!

Would love to hear your thoughts on this!

18 Comments
  1. Thampy John says

    I am getting a huge volume of spam these days. I have no suspects other than irctc, that’s why I googled and found out this post. Can anyone do something about this. It could be irctc or the insurance company who got access to our email addresses.

  2. S P Chowdhury says

    IRCTC not only giving mail ID but they also providing Telephone no and the Journey details to the outsider.

  3. Prashant Aier says

    Not only email but phone numbers associated with such emails are also shared. This happened in last week when i opened IRCTC account for my relative and today he got spam SMS. This is not acceptable.

  4. […] User Email IDs registered with IRCTC are being shared or sold with internet marketers. Here is a clear proof of […]

  5. Hemal says

    This came after the Flipkart expose that happened about 6-7 months ago. After seeing it, even I started creating separate email for separate websites.

  6. Breaking News says

    Arun,

    Its confirmed. http://www.Yebhi.com is selling it! The IRCTC Ecommerce store is powered by them and all emails are shared for cross promotions. Yebhi has no money – sacked staff, left office spaces, not much stock, hasnt paid anyone. They are selling it… confirmed!

  7. Arup Ghosh says

    They are sharing our email ids and contact info with advertisers and making millions, so why they don’t remove the extra charge on e tickets ?

  8. Anchit Shethia says

    Wonder why the problem is with you. I have not received any such spam emails on my IRCTC email ID. Its be live since 2 years and except for the ITCTC promotional offers, nothing spammy came up.

  9. Tushar says

    No surprise here! Who doesn’t do it especially, when the database is worth millions. However, I wonder if the IRCTC (officially) has anything to do with it. . . It’s probably the agency maintaining the DB or someone hacked into it . . & trust me, they never thought someone would be clever enough to catch them like this.. Nice catch Navin…. Awesome. hahaha . . .

  10. Trilok says

    E-Blasphemy ! +1 to hate our E-Government now.

  11. ex_yebhi says

    Irctc has an ecommerce alliance with Yebhi.com. All transactors emails are shared with them. Yebhi is in a severe cash crunnch and sells them.

  12. Satish Kandukuri says

    Hey Arun,
    Firstly I have been regular reader of your blog over last 2-3 years. You put up lot of informative things.

    This whole story prompted me to reply :)

    Though you have mentioned that this particular email id is compromised I would like to give my two cents.

    But couldn’t it be that this navin.irctc guy’s email id might be snooped or stolen while browsing the web?? Am assuming any such thing is fairly possible with the kind of tracking websites do and those third party websites might have sold the data.

    I have been using irctc for a long time and never received spam mails at least as mentioned here.
    I think based on just this one single instance we can’t quite jump to a conclusion. We will have to have more such cases to substantiate such a claim !! What say ??

    1. Arun Prabhudesai says

      Satish – Thanks for being a regular reader. Talking about Navin, he is a hard core tech guy and I am sure he has taken all precautions to ensure that his email ID is note taken without his knowledge. But most importantly, he used a specific email ID [email protected] ONLY for registering on IRCTC and no where else.
      While you might have not recd a spam, many have confirmed that this has happened to them as well. It surely is not one-off instance!

  13. kumar says

    Though IRCTC & Indian railways are Govt. Organizations, the people running these are real suckers. If you open their websites, there are so many pop ups with ads. I’ve never seen any govt. website doing so.

    More than that once I’ve posted a article based on the report IRCTC shared in their website. They have sent me notice to remove the content stating that nobody should republish the data without written consent. That is ridiculous. Any govt. organization encourages public to spread the information. But in this case they have restrained me from doing so because, I’m competition for their ad revenue. I’m attracting their traffic.

  14. Yes I faced this too! I was suspicious and your article confirms the same. So what is the solution? Can IRCTC be sued for selling user privacy?

  15. Prakash says

    This, I guess you are sitting on a gold mine here, If just this was US.

  16. Amit Patekar says

    Even Airtel do the same. With email addresses and phone number.

  17. prateekb3 says

    yeah I think they doing it. We can trust them..

Leave A Reply

Your email address will not be published.

who's online