News Reports
have appeared in some Electronic and Print media regarding alleged leakage of
email and mobile numbers from user profile data of IRCTC E-ticketing system.
Indian Railway Catering and Tourism corporation (IRCTC) is a PSU of Indian
Railways. Its website irctc.co.in is used for purchasing Railway E-Tickets.
Firstly, Indian
Railways would like to clarify that there has been no hacking of the IRCTC
website. The E-ticketing website has been working normally thereby eliminating
any chances of unauthorized interference. As soon as the matter came to
notice of Railways on 02/05/2016, thorough investigations were conducted to
detect veracity of the news, however, no such incident has been detected. The
Ministry would like to assure that all necessary Safeguards and security checks
are in place for this website. There is a system of regular security audits by
concerned departments of government of India. All the components of the system
are functioning normal and no unusual activity has been discovered. All
sensitive data like passwords etc are stored in encrypted form. In addition to
this, 24x7 monitoring of the system is done throughout the year by technical
team of experts. Hence there is no cause for any panic or concern. A Railway
committee set up couple of days back, in its preliminary report has not found
any indication of breach of security in any of the databases of the E‑ticketing
system.
The complete
facts about the matter is given below:-
The News Reports
have appeared in some Electronic and Print media regarding alleged leakage of
email and mobile numbers from user profile data of IRCTC E-ticketing system.
Indian Railway Catering and Tourism corporation (IRCTC) is a PSU of Indian
Railways. Its website irctc.co.in is used for purchasing Railway E-Tickets-ticketing
system is managed in-house by CRIS, the IT arm of Indian Railways. The Data
centre is in the premises of CRIS. As soon as the matter came to notice of
Railways on 02/05/2016, thorough investigations were conducted to detect
veracity of the news, however, no such incident has been detected by the
technical teams of Centre for Railway Information Systems (CRIS) and Indian
Railway Catering and Tourism Corporation (IRCTC).
No “Denial of
Service attack” (DoS/DDoS) has been successful and the E-ticketing website has
been working normally thereby eliminating any chances of unauthorized
interference. About 5.48 lakh tickets were booked in a single day in April
2016 with 2.66 lakh peak concurrent users. About 13,600 tickets per minute
were booked.
The E-ticketing
system has several components viz., internet gateway, network security devices
such as gateway router and Firewall, Application Delivery Controller, Security
Information Event Management System (SIEM) web server and database server access
logs. Each of the components has been checked and none of the components has
been found to have unusual activity. Technical investigations have also not
indicated any unusual activity with respect to various system components.
The IT security
of E-ticketing system is ensured through regular security audits by
Standardization Testing Quality Certification (STQC) directorate of Department
of Electronics and IT, Government of India. The entire traffic flowing on
E-ticketing system internet gateway is also forwarded to CERT-In in real-time
for monitoring and alerting. The gaps reported by STQC in their penetration
testing have been addressed. However, auditing is an ongoing process and
security audit of E-ticketing system is undertaken biannually.
Audit trails are
maintained for access to the system and all sensitive data like passwords etc
are stored in encrypted form. In addition to this, 24x7 monitoring of the
system is done throughout the year by technical team of experts. Strict
physical checks are already in place in the Data centre like restricted access
to Data centre, CCTV cameras at entry and exit points of Data centre.
The data of
E-ticketing system can be broadly categorized into two categories viz.,
sensitive information like Debit/Credit Card details, Login ID, Passwords,
which could cause potential financial risk. PAN card detail is not required
for booking E-ticket. No sensitive data has been alleged to have been leaked.
It is clarified
that other data like mobile number and email ids is available with a large
number of electronic service providing entities viz., E-commerce firms,
telemarketers etc. Email and mobile numbers have to be shared with service
providers for providing catering services, cab services, hotel bookings, SMS
services, etc. Till now, leakage of data through none of the service providers
of IRCTC has been established.
A joint
committee comprising of officers from both CRIS and IRCTC has been set up.
The committee in their preliminary report has not found any indication of
breach of security in any of the databases of the E‑ticketing
system. Further investigations by this committee is in progress and once the
purported leaked data is made available, further checks will be conducted.
****
AKS/MKV/AK