IRCTC Denies Hack, But Leaked Data Could Be GenuineIRCTC's MD Says Data Theft Needs Verification, But No Intrusion Took Place
Although the Times of India reported on April 5 that the Indian Railways Catering & Tourism Corp. was hacked and the personal data of more than 10 million users compromised, IRCTC denies the claim.
Sources tell Information Security Media Group that the report was published after the Times learned that Maharashtra Police's Cyber Cell had informed IRCTC that it had retrieved a DVD allegedly containing IRCTC customer data from a fraudster group that it had apprehended in the course of some other investigation.
IRCTC's technical investigation team having ruled out hacking; the onus is now on law enforcement to enable IRCTC to vet the allegedly stolen data ASAP.
IRCTC released a statement denying it was the victim of any hacking incident and noting that its servers and website were up and running - with no interruptions in service. But A.K. Manocha, IRCTC's chairman and managing director, told news outlet AaJ Tak that the authenticity of the data in police possession needs to be verified to determine if it, indeed, was stolen from IRCTC.
Manocha clarified in an interview with ABP News in India (see YouTube link below) that IRCTC does not host payment card information, and that all transactions were routed through third-party gateways, putting to rest speculation that the 10 million records may have contained payment card data.
IRCTC is the e-ticketing and hospitality portal operated by the state-run Indian Railways Corp. Issuing more than 500,000 tickets and other transactions per day, it is India's largest e-commerce portal.
Now that the possibility of hack has been ruled out by the railway investigation, law enforcement and IRCTC need to work together to determine if the purported data recovered from the cybercriminal gang was indeed stolen - either from IRCTC or from its huge third-party network. This is a time-sensitive matter, and bureaucratic bottlenecks need to swiftly be worked out.
The mainstream media's roughshod handling of the details of this developing story, and the Indian bureaucracy's reluctance to provide transparent responses, leave a lot of confusion in the air. As with most "cyber hacking" stories published in India in recent times, like with the Ola Cabs 'hack' case (see: Ola Cabs Hack: An Analysis), the media seem to have jumped the gun on this one.
Timeline of the Alleged Hack
Sources tell ISMG that the Times of India story was based on an incident wherein the Maharashtra Cyber Cell came into possession of a DVD with alleged data of IRCTC customers, which contained their transaction records, PAN and Aadhar card numbers, date of birth etc. Maharashtra police is then believed to have informed the railways on April 3. Sources also say that the DVD with this data was apparently being sold on the black market in Delhi for Rs. 15,000.
The natural assumption thereafter has been that the website was hacked and data thus extracted. However, to IRCTCs credit, its statement released after its technical investigation looks surprisingly detailed and articulate, and explains that no hacking incident or intrusion has been detected by the technical teams that investigated the matter. This level of detail is also a great precedent, in my opinion.
The railway ministry has gotten involved, and a high level committee has been constituted by IRCTC to probe the matter, the Business Standard reports.
IRCTC Says Systems Secure
IRCTC's Manocha categorically stated to ABP News in an interview that IRCTC's websites and servers had not been hacked. He said the network had recently undergone a security audit, and that IRCTC's websites and servers are protected by several layers of security controls.
"IRCTC is undergoing an STQC (Standardization Testing & Quality Certification) certification, undertaken by the Department Of Electronics for the last nine months, since July 2015. A lot of money is being spent on this exercise, and three levels of penetration testing have already been done," he says in the interview.
Case of the Missing Data
The question is if the data recovered by the police is, in fact, IRCTC customer data, could this then be a case of data theft through other means, possibly insider, or third-party service provider - of which IRCTC has many? (See: India's Growing Breach Potential) Or perhaps even some automated script siphoning of data from queries to IRCTCs ticketing system - since the data in question seems to not be sensitive and can be retrieved in this manner, per Manocha's comment to Aaj Tak?
Suffice to say, even if this wasn't a hack, since IRCTC is a government entity, failure to protect customer data could cost them under the IT Rules 2011, which imposes penalties if such a breach is established.
A source within IRCTC, speaking anonymously, tells ISMG that the data in question is still in possession of the police, and repeated requests to them to share the disk with IRCTC have borne no fruit. IRCTC is therefore unable to verify if the data is indeed theirs, he says. And while they wait, IRCTC has been in the midst of a media maelstrom, with no way of ascertaining what they were dealing with.
The only way to establish that a breach/leak has taken place is to analyze the data. With hacking having been ruled out by IRCTC, and its technical investigation team having examined its networks, as per the statement; the onus therefore, now shifts to law enforcement to enable IRCTC to vet the allegedly stolen data and lay the matter to rest, if they haven't done so already.
And for my colleagues in the mainstream media, just because data is out does not mean a "hack" necessarily happened. Adding the word "alleged" wouldn't have hurt, my friends.
As of now, here is how I see it: 1) There has been no systems hack, if the official statement is to be believed; 2) There is data out there, allegedly from IRCTC; 3) This needs to be verified and, if the data is genuine, IRCTC may need to look beyond just the possibility of external threats and VA/PT, as these audits have, and start a mole hunt for insider lapses.