Railyatri Security Flaw Could Have Exposed Debit Cards, UPI Data of 7 Lakh Passengers: Report

RailYatri was reportedly left exposed due to inadequate security measures, that put the payment information and other personal data of lakhs of users at risk. As per the report, the data was saved on an unsecured server, and the ticket-booking platform potentially exposed personal information of over 7 lakh passengers. This includes full names, phone numbers, addresses, email IDs, ticket booking details, and partial credit or debit card numbers. The vulnerability that was first spotted by a team of cyber-security researchers on August 10.

As reported by The Next Web, the exposed Elasticsearch server was spotted by a team of researchers at cyber-security firm Safety Detectives on August 10. The security firm discovered that the affected server was left exposed without any encryption or password protection for several days. Safety Detectives said in its blog that anyone with the server's IP address could have gained access to the full database.

The blog pointed out that the data, amounting to nearly 43GB, mostly featured users based in India. The firm estimated that over seven lakh individuals were likely affected by the vulnerability.

Gadgets 360 has reached out to RailYatri for a statement. This report will be updated when we hear back.

Update: A company spokesperson denied the claims and said that it does not store "financial and other sensitive data," apart from some partial details. The spokesperson also stated that RailYatri only stores a day's worth of data, which would not amount to this scale of information.

At the time of writing, RailYatri didn't respond to The Next Web or Security Detectives, but closed the server after the security firm raised the matter with the government wing, Indian Computer Emergency Response Team (CERT-In).

On August 12, a Meow bot attack lead to the deletion of nearly the entire server data, according to Safety Detectives' blog post. The Meow bot is a new type of cyber-attack that deletes unsecured databases that run Elasticsearch, Redis, or MongoDB servers.

The database in question comprised over 37 million records, including log files. The type of information exposed contained full names, age, gender, physical/ email addresses, contact numbers, payment logs, UPI IDs, train and bus booking details, and travel itinerary information. It also carried partial records of credit and debit card information as well as the users' GPS location information.

Full statement from the RailYatri spokesperson, updated on August 25:

"At RailYatri, we take the safety and privacy of our user-base seriously, and as soon as the issue was brought to our notice by CERT-In (Indian Computer Emergency Response team) a week back, our team was instantly on its feet in efforts to resolve the issue then and there. Post receiving the information, the testing server port was plugged immediately from the network. The server in question was a test server, and some of our logs were partially replicated on the same. As a general protocol, any and all data older than 24 hours are automatically deleted from the server. Further, we would like to clarify that report suggesting 7,00,000 email addresses leaked in three days is factually incorrect as it would be impossible for that to happen since the server contains at most a days-worth of data.

Having said so, we would like to assure our users that RailYatri does not store financial and other sensitive data with the exception of some partial details. We do not store credit card data on our servers. Data privacy is of utmost importance to us, and we have taken a thorough look at the issue to address it comprehensively. We are committed to the safety of user data.”

Should the government explain why Chinese apps were banned? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.