#LeakAlert: RailYatri exposes personal data of over 700,000 passengers
RailYatri, a renowned Indian platform for train and bus bookings, has publicly exposed the personal data of more than 700,000 of its users. The information was leaked through a server that was left unprotected on the internet, allowing open access to anyone who knew where to look. Here is all you need to know about it.
Unprotected server spotted by security researchers
On August 10, a team of researchers from security firm Safety Detectives stumbled upon the unprotected RailYatri database. They noted that the information, hosted on an Elasticsearch server, had no password protection or encryption and was essentially available to anyone in the world. The entire dataset was nearly 43GB in size and had over 37 million records, the company found.
Personal information available for access
The researchers discovered that the unprotected database had plenty of personally identifiable information on more than 700,000 people. This included the full names of these people, their age, gender, phone numbers, home addresses, email IDs, locations, ticket booking details, UPI IDs, and partial credit/debit card numbers - with the first four and last four digits, the name of the card-issuing bank, and expiry information.
However, soon, all that information was wiped
As the team at Safety Detectives worked to confirm the authenticity of the database and get it secured from RailYatri, the unprotected information was attacked by the Meow bot. The bot targets unsecured internet-facing databases without even leaving an explanatory note. In this case, it ravaged through the entire RailYatri dataset, bringing the total hosted information down to 1GB.
A week after discovery, the database was secured
When the researchers approached RailYatri to inform them about the leak, the company remained silent. So, on August 17, they contacted Indian Computer Emergency Response Team (CERT-In) to flag the issue. A day later, the database, which was still being updated with new user information, was quietly secured from the server. Neither CERT-In nor RailYatri offered any comment on the matter.
No clarity on whether anyone else accessed this database
Given that RailYatri remains tight-lipped, there is no way to say whether anyone else, apart from the folks at Safety Detectives, was able to access the unprotected database. To note, the information that was exposed here (card numbers, locations, travel plans) could easily be used by hackers to carry out targeted phishing attacks or even cause physical harm to a person.