IRCTC plugs critical data breach on insurance portal 

A cybersecurity analyst had flagged vulnerability that gave access to travel details of passengers and also option to change nominee in travel insurance

Updated - August 05, 2024 11:10 am IST - Chennai

CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end.

CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end. | Photo Credit: Special Arrangement

The Indian Railway Catering and Tourism Corporation (IRCTC) has addressed a critical vulnerability on its insurance portal that previously allowed unauthorised access to passengers’ travel details and enabled changes to nominee information in the insurance policy.

Cybersecurity researcher Nilabh Rajpoot of Noida discovered the bug after booking train tickets on the IRCTC website and opting for travel insurance. He received a link via SMS that, upon entering the PNR and registered mobile number, opened the travel insurance policy provided by United India Insurance Co Ltd. The link included an option to update nominee details.

Mr. Rajpoot’s curiosity and hacker instincts led him to investigate potential data leaks on the portal. By entering random PNRs and fictitious mobile phone numbers, he found that the portal revealed passengers’ travel details, such as journey date, train number, berth/seat, email, mobile phone, and insurance policy information. Shockingly, the portal allowed modification of nominee details without requiring an OTP or security question.

Random PNRs

“I entered hundreds of random PNRs and mobile phone numbers and accessed passengers’ travel/insurance details. Although the link issued an alert that the mobile number did not exist, it still provided the passenger data. I immediately reported the issue on July 23, 2024, to the Computer Emergency Response Team – India (CERT-In), which communicated the vulnerability to the relevant organisation,” Mr. Rajpoot told The Hindu on Sunday.

In a reply on July 30, 2024, CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end.

The vulnerability on the IRCTC insurance portal was significant as it exposed sensitive passenger information, including journey and contact details. Although the issue was found on the insurance portal managed by a third party, the data security and privacy concerns affected IRCTC as the custodian.

Mr. Rajpoot focuses on identifying and mitigating security risks through routine assessments of various online portals. “In this case, unauthorised individuals could access and modify policyholders’ details, including nominee information. We must protect sensitive information from fraudulent access and manipulation,” he said.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.