Indian Railway and Tourism Organization Leaked 900,000 User Records

By Bill Toulas / October 14, 2020

A set of 900,000 user records has just appeared on the dark web, and upon analyzing it, researchers found out that it belongs to the Indian Railway Catering and Tourism Corporation (IRCTC). This organization is a subsidiary of the Indian Railways, responsible for handling online ticketing operations, catering, and tourism. IRCTC is also directly responsible for running the “Tejas Express,” India’s first semi-high speed and fully air-conditioned train service that was launched three years ago.

The discovery of the data comes from researchers of Cyble, the dark web risk monitoring firm that routinely checks dark web forums and marketplaces to find new datasets. Upon looking at the details, the researchers figured that the data was exfiltrated by hackers sometime last year.

The user who shared the data with others did it without asking for a fee, and it appears that he isn’t the actor who exfiltrated it. Moreover, there’s no indication that IRCTC ever got a ransom note, so they may not have been extorted, and quite possibly, not have realized the security incident to this day.

Source: Cyble

The information that populates each user record includes the following:

Source: Cyble

This exposure’s consequences include increased risks of phishing attacks, scamming attempts, and spam text or tricky calls. Thankfully, extremely sensitive data like payment details (from online ticketing), actual home address, and travel dates/times aren’t included in this leak, and email addresses appear to be missing too. If they were available, scammers and phishing actors would be in a much stronger position.

Read More: Visa Warns Hospitality Merchants of Nasty POS Malware Infection

If you have used IRCTC’s “Tejas Express” line and/or services of the Indian Railways in general, go ahead and check on Cyble’s tool to figure out if your name is included in this leak. If it is, be careful with all incoming communications, be it SMS, phone call, or email. Additionally, monitor your financial transactions and make sure to immediately contact your card issuer if something you don’t recognize appears.

This leak may very well be just a part of another batch that has gone undetected or not shared on the dark web, and which could include more data. Also, since IRCTC hasn’t stated anything about this incident, they may not have identified and plugged their security hole yet, so if you have to use their services, take every precautionary security measure you can.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: