RailYatri Could Have Revealed Debit Cards of 7 lakh Passengers: Report

4 years ago 157
BOOK THIS SPACE FOR AD
ARTICLE AD

RailYatri was reportedly left exposed due to inadequate security measures, that put the payment information and other personal data of lakhs of users at risk. As per the report, the data was saved on an unsecured server, and the ticket-booking platform potentially exposed personal information of over 7 lakh passengers. This includes full names, phone numbers, addresses, email IDs, ticket booking details, and partial credit or debit card numbers. The vulnerability that was first spotted by a team of cyber-security researchers on August 10.

As reported by The Next Web, the exposed Elasticsearch server was spotted by a team of researchers at cyber-security firm Safety Detectives on August 10. The security firm discovered that the affected server was left exposed without any encryption or password protection for several days. Safety Detectives said in its blog that anyone with the server's IP address could have gained access to the full database.

The blog pointed out that the data, amounting to nearly 43GB, mostly featured users based in India. The firm estimated that over 7 lakh individuals were likely affected by the vulnerability.

Gadgets 360 has reached out to RailYatri for a statement. This report will be updated when we hear back.

At the time of writing, RailYatri didn't respond to The Next Web or Security Detectives, but closed the server after the security firm raised the matter with the government wing, Indian Computer Emergency Response Team (CERT-In).

On August 12, a Meow bot attack lead to the deletion of nearly the entire server data, according to Safety Detectives' blog post. The Meow bot is a new type of cyber-attack that deletes unsecured databases that run Elasticsearch, Redis, or MongoDB servers.

The database in question comprised over 37 million records, including log files. The type of information exposed contained full names, age, gender, physical/ email addresses, contact numbers, payment logs, UPI IDs, train and bus booking details, and travel itinerary information. It also carried partial records of credit and debit card information as well as the users' GPS location information.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Shayak Majumder Email Shayak Majumder Shayak Majumder is Chief Sub Editor at Gadgets 360. A journalist since 2013, he has worked both on the field as well as behind the desk in several organisations including Indian Express Online and MSN. As a reporter, he covered a wide range of verticals, from politics to the development sector. While at Indian Express, he regularly reviewed video games, gaming hardware and the growth of MMORPG in India. He is also a passionate musician and a former trainer, currently working on his upcoming EP. ...More

Read Entire Article