RailYatri Leaked Debit Card, UPI Details Of 7 Lakh Passengers; 3.7 Crore Data Logs Exposed [Updated]

Update: RailYatri has contacted us, and provided their side of the story. Here is their full statement on this incident:

“At RailYatri, we take the safety and privacy of our user-base seriously, and as soon as the issue was brought to our notice by CERT-in (Indian Computer Emergency Response team) a week back, our team was instantly on its feet in efforts to resolve the issue then and there.

Post receiving the information, the testing server port was plugged immediately from the network. The server in question was a test server, and some of our logs were partially replicated on the same. As a general protocol, any and all data older than 24 hours are automatically deleted from the server. Further, we would like to clarify that report suggesting 7,00,000 email addresses leaked in 3 days is factually incorrect as it would be impossible for that to happen since the server contains at most a days-worth of data.

Having said so, we would like to assure our users that RailYatri does not store financial and other sensitive data with the exception of some partial details. We do not store credit card data on our servers. Data privacy is of utmost importance to us, and we have taken a thorough look at the issue to address it comprehensively. We are committed to the safety of user data.”

Earlier…

As per reports, RailYatri, the online ticketing platform, recently became a victim to a security flaw that exposed the payment information and other personal details of 7 lakh of users.  

Read on to find out more…

What Exactly Happened?

According to the reports, the leaked data was displayed on an unsecured Elasticsearch server, which was discovered by a team of researchers at cyber-security firm Safety Detectives on August 10. 

Personal information like full names, phone numbers, email ids, location information, ticket booking details, UPI ids, and partial credit or debit card numbers and other such personal details were left exposed on the server.  More than 3.7 crore records including log files were found. 

The findings by the team indicated that the affected server was left exposed without any encryption or password protection for several days.

In its blog, the security firm said that anyone with the server’s IP address could have gained access to the full database.

The team headed by Anurag Sen found the server with 43 GB data which mostly featured users based in India.

On August 12, the 43 GB data was reduced to 1 GB data by a Meow attack which deletes unsecured databases that run Elasticsearch, Redis, or MongoDB servers.

This security flaw and leaking of personal data could have led to phishing attacks or other scams. This could have proved a threat to users as attackers can gain easy access to a user’s location or travel plans.

What Did RailYatri Do After This?

When Safety Detectives brought this matter to the attention of the Indian Computer Emergency Response Team (CERT-In),  Railyatri closed the server. 

On August 25, Railyatri spokesperson issued a statement saying “Post receiving the information, the testing server port was plugged immediately from the network. The server in question was a test server, and some of our logs were partially replicated on the same. As a general protocol, any and all data older than 24 hours are automatically deleted from the server.”

The company further clarified that the report stating that 7 lakh email addresses were leaked in 3 days is factually incorrect as it would be impossible for that to happen since the server contains at most a days-worth of data.

The spokesperson also said, “Having said so, we would like to assure our users that RailYatri does not store financial and other sensitive data with the exception of some partial details. We do not store credit card data on our servers. Data privacy is of utmost importance to us, and we have taken a thorough look at the issue to address it comprehensively. We are committed to the safety of user data.”