RailYatri, Indian online train ticket sales company, leaked data of millions of users

A severe security incident could affect millions of people in India. According to network perimeter security specialists, one of the most popular travel booking centers in the country operated without the most basic computer security measures, resulting in a data breach incident that exposed more than 43 GB of personal information.

RailYatri is a transportation platform that serves about 24 million users a day. This firm sells bus and train tickets for travelers inland India through its website and a mobile app for iOS and Android devices.

The affected Elasticsearch implementation operated without a password or any other security measure, so anyone who could find the affected IP address could have accessed the exposed information.

Anurag Sen, from firm Safety Detectives, discovered a severe vulnerability on the affected server on August 10, just three days later it was discovered that the server had been the victim of an attack by the Meow bot, which removes the information exposed in insecure deployments like this. Researchers believe that 100% of the 700,000 affected users are based in India. Among the data exposed in this incident are:

  • Full names
  • Birth dates
  • Gender
  • Physical addresses
  • Email addresses
  • Mobile phone numbers
  • Payment logs
  • Partial records of credit and debit card information
  • Unified Payment Interface (UPI) ID
  • Train and bus ticket booking details

According to the network perimeter security specialists, the most dangerous thing about this incident is that any threat actor may have accessed incomplete payment card data of users of this system, including the first and last digits, card type, carrier bank and expiration dates.   

SOURCE: Safety Detectives

While the fact that card numbers appear incomplete (reducing the risk of attack significantly), some groups of threat actors with sufficient resources and knowledge could use this information to deploy phishing campaigns and get complete information from affected users.    

SOURCE: Safety Detectives

Network perimeter security specialists indicate that it is necessary to consider all risks related to these kinds of incidents. Threat actors can use the information exposed to deploy massive campaigns of electronic fraud, identity theft, and even malware attacks. Organizations could also be affected, as a deceived user is the ideal access point to compromise a corporate network.

For security, potentially affected users are advised not to share sensitive information by email or phone, as well as ignore messages of suspicious appearance or sent by unidentified users.