Train ticketing platform RailYatri hit by data breach

RailYatri says some registered user information limited to age, email, preference city and phone numbers may have been viewed by unauthorised individuals

January 04, 2023 11:14 pm | Updated January 05, 2023 10:31 am IST - New Delhi

Photo: Twitter/@RailYatri

Photo: Twitter/@RailYatri

Train ticketing platform RailYatri on Wednesday confirmed that it suffered a data breach in December 2022, shortly after the Railway Ministry denied that user data were being sold on the dark web leaked from the Railways’ side.

“We observed a security breach in our system on December 28, 2022,” a RailYatri spokesperson told The Hindu. “We quickly established the source of the breach and fixed it within a few hours. Some RailYatri registered user information limited to age, email, preference city and phone numbers may have been viewed by unauthorised individuals. No other sensitive customer information has been compromised. We have reported the incident to the government authorities and are exploring legal steps to be taken.”

The company said it was working with the Indian Computer Emergency Response Team (CERT-in) to investigate the breach and audit its security systems. “Our platforms have proper authorisation and authentication in place and access to the applications is through HTTPS and servers are behind firewalls which can be accessed through VPN only by authorised teams.”

While the breach was reported to the authorities on December 28, the Railway Board did not name RailYatri when it issued a statement on December 30 denying that data were stolen from IRCTC. “All IRCTC business partners,” such as reselling platforms like RailYatri were asked to evaluate their systems, a Railway Board spokesperson had said.

Breach in 2020

Over 30 million user records were reportedly being sold on the dark web as a result of the breach. RailYatri has previously suffered a similar breach in 2020, which was reported by Safety Detectives, a portal run by security researchers and privacy experts. That breach impacted 7,00,000 users, the portal said.

While the Digital Personal Data Protection Bill, 2022 provides for penalties in the event of a data breach, the law is yet to be passed, over five years after the Supreme Court affirmed the constitutional right to privacy and kick-started the process for the creation of data protection legislation. Previous drafts of the Bill were either withdrawn or reworked in past years.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.