Popular ticketing platform RailYatri reportedly fell prey to a security glitch that led to the leakage of lakhs of users' personal information in India. The data was hosted on an unsecured server and exposed 700,000 users' personal details. Read on to know more about it.
RailYatri security issue
As per a report by The Next Web, the leaked data had users' information such as names, phone numbers, addresses, email IDs, ticket booking details, and partial credit or debit card numbers.
The security flaw was discovered by the security firm Safety Detectives. The team of researchers led by Anurag Sen found the unsecured Easticsearch server on August 10 that had 43GB of data, which was leaked. Furthermore, the 43GB of data was reduced to 1GB due to a Meow attack on August 12. For those who don't know, a Meow attack is an attack that deletes unsecured databases that run Elasticsearch, Redis, or MongoDB servers.
The leaked data also included information such as UPI IDs, location information, travel plans, and more than 37 million records including log files. The privacy breach can easily lead to the information being used for phishing or other scams. This can also cause physical security issues as people with malicious intents can misuse the location and travel plan details.
Safety Detectives reached out Computer emergency response team (CERT-In) and even RailYatri to bring the issue to their notice so that a possible fix can be released. However, neither RailYatri nor CERT-In reverted to this.
RailYatri reached out to IndiaTVNews.com and said, "At RailYatri, we take the safety and privacy of our user-base seriously, and as soon as the issue was brought to our notice by CERT-in (Indian Computer Emergency Response team) a week back, our team was instantly on its feet in efforts to resolve the issue then and there. Post receiving the information, the testing server port was plugged immediately from the network. The server in question was a test server, and some of our logs were partially replicated on the same. As a general protocol, any and all data older than 24 hours are automatically deleted from the server. Further, we would like to clarify that report suggesting 7,00,000 email addresses leaked in 3 days is factually incorrect as it would be impossible for that to happen since the server contains at most a days-worth of data.
Having said so, we would like to assure our users that RailYatri does not store financial and other sensitive data with the exception of some partial details. We do not store credit card data on our servers. Data privacy is of utmost importance to us, and we have taken a thorough look at the issue to address it comprehensively. We are committed to the safety of user data.”