Clarification regarding IRCTC website
News Reports have appeared in some Electronic and Print media regarding alleged leakage of email and mobile numbers from user profile data of IRCTC E-ticketing system. Indian Railway Catering and Tourism corporation (IRCTC) is a PSU of Indian Railways. Its website irctc.co.in is used for purchasing Railway E-Tickets.
Firstly, Indian Railways would like to clarify that there has been no hacking of the IRCTC website. The E-ticketing website has been working normally thereby eliminating any chances of unauthorized interference. As soon as the matter came to notice of Railways on 02/05/2016, thorough investigations were conducted to detect veracity of the news, however, no such incident has been detected.
The Ministry would like to assure that all necessary Safeguards and security checks are in place for this website. There is a system of regular security audits by concerned departments of government of India. All the components of the system are functioning normal and no unusual activity has been discovered. All sensitive data like passwords etc are stored in encrypted form. In addition to this, 24x7 monitoring of the system is done throughout the year by technical team of experts. Hence there is no cause for any panic or concern. A Railway committee set up couple of days back, in its preliminary report has not found any indication of breach of security in any of the databases of the E‑ticketing system.
The complete facts about the matter is given below:-
The News Reports have appeared in some Electronic and Print media regarding alleged leakage of email and mobile numbers from user profile data of IRCTC E-ticketing system. Indian Railway Catering and Tourism corporation (IRCTC) is a PSU of Indian Railways. Its website irctc.co.in is used for purchasing Railway E-Tickets-ticketing system is managed in-house by CRIS, the IT arm of Indian Railways. The Data centre is in the premises of CRIS. As soon as the matter came to notice of Railways on 02/05/2016, thorough investigations were conducted to detect veracity of the news, however, no such incident has been detected by the technical teams of Centre for Railway Information Systems (CRIS) and Indian Railway Catering and Tourism Corporation (IRCTC).
No “Denial of Service attack” (DoS/DDoS) has been successful and the E-ticketing website has been working normally thereby eliminating any chances of unauthorized interference. About 5.48 lakh tickets were booked in a single day in April 2016 with 2.66 lakh peak concurrent users. About 13,600 tickets per minute were booked.
The E-ticketing system has several components viz., internet gateway, network security devices such as gateway router and Firewall, Application Delivery Controller, Security Information Event Management System (SIEM) web server and database server access logs. Each of the components has been checked and none of the components has been found to have unusual activity. Technical investigations have also not indicated any unusual activity with respect to various system components.
The IT security of E-ticketing system is ensured through regular security audits by Standardization Testing Quality Certification (STQC) directorate of Department of Electronics and IT, Government of India. The entire traffic flowing on E-ticketing system internet gateway is also forwarded to CERT-In in real-time for monitoring and alerting. The gaps reported by STQC in their penetration testing have been addressed. However, auditing is an ongoing process and security audit of E-ticketing system is undertaken biannually.
Audit trails are maintained for access to the system and all sensitive data like passwords etc are stored in encrypted form. In addition to this, 24x7 monitoring of the system is done throughout the year by technical team of experts. Strict physical checks are already in place in the Data centre like restricted access to Data centre, CCTV cameras at entry and exit points of Data centre.
The data of E-ticketing system can be broadly categorized into two categories viz., sensitive information like Debit/Credit Card details, Login ID, Passwords, which could cause potential financial risk. PAN card detail is not required for booking E-ticket. No sensitive data has been alleged to have been leaked.
It is clarified that other data like mobile number and email ids is available with a large number of electronic service providing entities viz., E-commerce firms, telemarketers etc. Email and mobile numbers have to be shared with service providers for providing catering services, cab services, hotel bookings, SMS services, etc. Till now, leakage of data through none of the service providers of IRCTC has been established.
A joint committee comprising of officers from both CRIS and IRCTC has been set up. The committee in their preliminary report has not found any indication of breach of security in any of the databases of the E‑ticketing system. Further investigations by this committee is in progress and once the purported leaked data is made available, further checks will be conducted. more
Firstly, Indian Railways would like to clarify that there has been no hacking of the IRCTC website. The E-ticketing website has been working normally thereby eliminating any chances of unauthorized interference. As soon as the matter came to notice of Railways on 02/05/2016, thorough investigations were conducted to detect veracity of the news, however, no such incident has been detected.
The Ministry would like to assure that all necessary Safeguards and security checks are in place for this website. There is a system of regular security audits by concerned departments of government of India. All the components of the system are functioning normal and no unusual activity has been discovered. All sensitive data like passwords etc are stored in encrypted form. In addition to this, 24x7 monitoring of the system is done throughout the year by technical team of experts. Hence there is no cause for any panic or concern. A Railway committee set up couple of days back, in its preliminary report has not found any indication of breach of security in any of the databases of the E‑ticketing system.
The complete facts about the matter is given below:-
The News Reports have appeared in some Electronic and Print media regarding alleged leakage of email and mobile numbers from user profile data of IRCTC E-ticketing system. Indian Railway Catering and Tourism corporation (IRCTC) is a PSU of Indian Railways. Its website irctc.co.in is used for purchasing Railway E-Tickets-ticketing system is managed in-house by CRIS, the IT arm of Indian Railways. The Data centre is in the premises of CRIS. As soon as the matter came to notice of Railways on 02/05/2016, thorough investigations were conducted to detect veracity of the news, however, no such incident has been detected by the technical teams of Centre for Railway Information Systems (CRIS) and Indian Railway Catering and Tourism Corporation (IRCTC).
No “Denial of Service attack” (DoS/DDoS) has been successful and the E-ticketing website has been working normally thereby eliminating any chances of unauthorized interference. About 5.48 lakh tickets were booked in a single day in April 2016 with 2.66 lakh peak concurrent users. About 13,600 tickets per minute were booked.
The E-ticketing system has several components viz., internet gateway, network security devices such as gateway router and Firewall, Application Delivery Controller, Security Information Event Management System (SIEM) web server and database server access logs. Each of the components has been checked and none of the components has been found to have unusual activity. Technical investigations have also not indicated any unusual activity with respect to various system components.
The IT security of E-ticketing system is ensured through regular security audits by Standardization Testing Quality Certification (STQC) directorate of Department of Electronics and IT, Government of India. The entire traffic flowing on E-ticketing system internet gateway is also forwarded to CERT-In in real-time for monitoring and alerting. The gaps reported by STQC in their penetration testing have been addressed. However, auditing is an ongoing process and security audit of E-ticketing system is undertaken biannually.
Audit trails are maintained for access to the system and all sensitive data like passwords etc are stored in encrypted form. In addition to this, 24x7 monitoring of the system is done throughout the year by technical team of experts. Strict physical checks are already in place in the Data centre like restricted access to Data centre, CCTV cameras at entry and exit points of Data centre.
The data of E-ticketing system can be broadly categorized into two categories viz., sensitive information like Debit/Credit Card details, Login ID, Passwords, which could cause potential financial risk. PAN card detail is not required for booking E-ticket. No sensitive data has been alleged to have been leaked.
It is clarified that other data like mobile number and email ids is available with a large number of electronic service providing entities viz., E-commerce firms, telemarketers etc. Email and mobile numbers have to be shared with service providers for providing catering services, cab services, hotel bookings, SMS services, etc. Till now, leakage of data through none of the service providers of IRCTC has been established.
A joint committee comprising of officers from both CRIS and IRCTC has been set up. The committee in their preliminary report has not found any indication of breach of security in any of the databases of the E‑ticketing system. Further investigations by this committee is in progress and once the purported leaked data is made available, further checks will be conducted. more
Viewed by 3096
View all 30 comments Below 30 comments
I have similar experience as described by Mr.Anurag Pare. Booking of tatkal ticket for an individual is difficult job whereas same train same class same day ticket is available to an agent. It is left to the authorities to find out how it is possible and how it is managed by agents. more
Jun 06
Lets not show 60 years of murk as an excuse for slower execution of Railway initiatives. To be FRANK, 1. Even today getting the reserved tickets (even 60 days in advance & tatkaal tickets is still a distant dream 2. Railways passengers safety is still at risk. Quite often we hear the robberies, thefts, etc 3. No increase in passenger trains 4. compartments are dirty. Many stations and wagons wont have good water 5. Lots of beggars, trans genders, street vendors in the stations as well as trains more
May 13
earlier I was booking the tatkal tickets but every time the capcha has showing message invalid captcha but I entered properly, now if it is right then it should be go to booking but it thrown out also when started booking in between the page is not taking the passengers name, that is clear that form is hacked and site will not work as passengers needs. more
May 12
a stop at byappanahalli at least now, will make our lives more easier... the trains bound to and from tamil nadu, kerala would help a lot for the passengers, as nearby people will be benefitted both by time and money... the autos make a heyday in fares during early morning arrivals and departures... almost double the fare we pay for the train journey.. does it ring a bell for the railway ministry.. with metro touching as far a mysore road, covering manyimportant stations, it is best to have stoppings at byappanahalli, rather than even cantonment more
May 10
the recent elected government under mr. prabhu, has been doing some really good service upswing in the railways performance.. howsoever, many issues related to passenger convenience needs to be addressed, no wonder, rome was not built in a day, has some essence, 60 years of murk has to be cleaned in a systematic way... we have a qualifed minister with good finance background at the helm, hope the Railways does some good performance report in times to come, for the benefit of the hapless traveller... more
May 10
