Indian Railways denies IRCTC data breach but launches investigation

On December 28, the railways had submitted a data breach alert of the Indian Computer Emergency Response Team (Cert-In) to IRCTC

The Indian Railways on Thursday denied claims of a suspected data breach from servers of the Indian Railway Catering and Tourism Corporation (IRCTC).

"In this connection, it may be submitted that Railway Board had shared a possible data breach incident alert of CERT-In to IRCTC reporting a data breach pertaining to Indian Railways passengers," it said in a statement, as reported by PTI. 

"On analysis of sample data, it is found that the sample data key pattern does not match with IRCTC history API. Reported/suspected data breach is not from the IRCTC servers," it added.

However, the railways announced that it had initiated an investigation into the alleged breach.

"All IRCTC Business Partners have been asked to immediately examine whether there is any data leakage from their end and apprise the results along with corrective measures taken to IRCTC," it said.

On December 28, Business Standard reported that the railways submitted a data breach alert of the Indian Computer Emergency Response Team (Cert-In) to IRCTC.

"An incident regarding an Indian Railway data breach has been reported in the media. In this connection it may be submitted that Railway Board had shared a possible data breach incident alert of Cert-In to IRCTC reporting a data breach pertaining to Indian Railways passengers," the Railways said.

"On an analysis of sample data, it was found that the sample data key pattern does not match with IRCTC history API (application programming interface). Reported/suspected data breach is not from the IRCTC servers," it added.