wordpress blog stats
Connect with us

Hi, what are you looking for?

A free insurance bug caused data vulnerabilities on the IRCTC website and app

The personal data (including nominee details) of 200,000 IRCTC passengers was made vulnerable to hacking through a bug which offered free and mandatory travel insurance, reports the Economic Times. It is unclear if any data was stolen, and the the bug reportedly existed for nearly two years.

Security researcher Avinash Jain found the bug in IRCTC’s website and mobile app link which connects to a third-party insurance company for free travel insurance. Jain said that within 10 minutes of finding the bug, he was able to read the details of around 1000 passengers.

Of the 3 companies offering rail travel insurance, the vulnerability was found only in the link to Shriram General Insurance, and not ICICI Lombard General Insurance and Royal Sundaram General Insurance.

He reported the matter to IRCTC on 14 August, while the bug was fixed on 29 August. The bug would have given hackers unfettered access to details such as name, age, gender and insurance nominees of the passengers and the 10 digit PNR number.

In September, IRCTC decided to discontinue the mandatory free travel insurance which was introduced in December 2016 to encourage customers to book their tickets online. According to IRCTC’s annual report for 2016-17, e-ticketing accounted for 62% of reserved railway tickets in India, with over 573,000 tickets sold daily through the IRCTC website.

In May 2016, the IRCTC website was hacked and personal data of around 1 crore customers was feared to have been stolen from the servers of the e-ticketing portal. However, the Indian railways denied that the website had been hacked, and claimed that they had not received any indication that a data breach had taken place.

Advertisement. Scroll to continue reading.

E-ticketing fraud rampant

Last week, we reported that the Indian Railways would deactivate 1,268 user IDs on IRCTC. It forfeited 1,875 scheduled e-tickets after it conducted raids against e-ticketing fraud in over 100 cities in the country. Railway Police force officials concluded that certain user IDs on the railways’ ticketing platform IRCTC were being used to purchase tickets online illegally.

The State Crime Branch officials also arrested two people and recovered software which hacks railway software and railway e-tickets in a raid conducted on travel company ‘Odisha Communication’ in Jaleswar, Balasore district, Odisha.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ