Debit cards, UPI data of 7 lakh passengers allegedly exposed due to Railyatri Security Flaw

Important financial data of several employees might have been compromised due to a security flaw in Railyatri, a new report has claimed. The platform was reportedly left exposed due to inadequate security measures, that put the payment information and other personal data of lakhs of users at risk.  

As reported by The Next Web, the data was saved on an unsecured server, and the ticket-booking platform potentially exposed personal information of over 7 lakh passengers. This includes full names, phone numbers, addresses, email IDs, ticket booking details, and partial credit or debit card numbers. The vulnerability that was first spotted by a team of cyber-security researchers on August 10. 

The exposed Elasticsearch server was spotted by a team of researchers at cyber-security firm Safety Detectives on August 10. The security firm claimed that the affected server was left exposed without any encryption or password protection for several days.  

WATCH Zee Business TV LIVE Streaming Online

Safety Detectives said in its blog that anyone with the server's IP address could have gained access to the full database. The blog pointed out that the data, amounting to nearly 43GB, mostly featured users based in India. The firm estimated that over 7 lakh individuals were likely affected by the vulnerability. 

A RailYatri spokesperson told Zee Business that its team was instantly on its feet in efforts to resolve the issue as soon as it was brought to their notice by CERT-in (Indian Computer Emergency Response team.

“Post receiving the information, the testing server port was plugged immediately from the network. The server in question was a test server, and some of our logs were partially replicated on the same. As a general protocol, any and all data older than 24 hours are automatically deleted from the server. Further, we would like to clarify that report suggesting 7,00,000 email addresses leaked in 3 days is factually incorrect as it would be impossible for that to happen since the server contains at most a days-worth of data,” the statement read. 

It further claimed that RailYatri does not store financial and other sensitive data with the exception of some partial details. 

“We do not store credit card data on our servers. Data privacy is of utmost importance to us, and we have taken a thorough look at the issue to address it comprehensively. We are committed to the safety of user data,” it added.

However, it has closed the server after the security firm raised the matter with the government wing, Indian Computer Emergency Response Team (CERT-In). 

The privacy breach can easily lead to the information being used for phishing or other scams. This can also cause physical security issues as people with malicious intents can misuse the location and travel plan details.