Home National IRCTC plugs critical data breach on insurance portal 

IRCTC plugs critical data breach on insurance portal 

by rajtamil
0 comment 38 views

IRCTC plugs critical data breach on insurance portal

A cybersecurity analyst had flagged vulnerability that gave access to travel details of passengers and also option to change nominee in travel insurance

CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end.

CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end.
| Photo Credit: Special Arrangement

The Indian Railway Catering and Tourism Corporation (IRCTC) has addressed a critical vulnerability on its insurance portal that previously allowed unauthorised access to passengers’ travel details and enabled changes to nominee information in the insurance policy.

Cybersecurity researcher Nilabh Rajpoot of Noida discovered the bug after booking train tickets on the IRCTC website and opting for travel insurance. He received a link via SMS that, upon entering the PNR and registered mobile number, opened the travel insurance policy provided by United India Insurance Co Ltd. The link included an option to update nominee details.

Cost of data breaches in India hits all-time high in FY24: IBM

Mr. Rajpoot’s curiosity and hacker instincts led him to investigate potential data leaks on the portal. By entering random PNRs and fictitious mobile phone numbers, he found that the portal revealed passengers’ travel details, such as journey date, train number, berth/seat, email, mobile phone, and insurance policy information. Shockingly, the portal allowed modification of nominee details without requiring an OTP or security question.

Random PNRs

“I entered hundreds of random PNRs and mobile phone numbers and accessed passengers’ travel/insurance details. Although the link issued an alert that the mobile number did not exist, it still provided the passenger data. I immediately reported the issue on July 23, 2024, to the Computer Emergency Response Team – India (CERT-In), which communicated the vulnerability to the relevant organisation,” Mr. Rajpoot told The Hindu on Sunday.

In a reply on July 30, 2024, CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end.

How to spot fake websites and avoid scam

The vulnerability on the IRCTC insurance portal was significant as it exposed sensitive passenger information, including journey and contact details. Although the issue was found on the insurance portal managed by a third party, the data security and privacy concerns affected IRCTC as the custodian.

Mr. Rajpoot focuses on identifying and mitigating security risks through routine assessments of various online portals. “In this case, unauthorised individuals could access and modify policyholders’ details, including nominee information. We must protect sensitive information from fraudulent access and manipulation,” he said.

Read Comments

  • Copy link
  • Email
  • Facebook
  • Twitter
  • Telegram
  • LinkedIn
  • WhatsApp
  • Reddit

READ LATER
Remove
SEE ALL
PRINT

Related Topics

railway

/
indian railways

You may also like

2024 All Right Reserved.

Adblock Detected

Please support us by disabling your AdBlocker extension from your browsers for our website.