Company denies that 700,000 users had their details exposed via public-facing server
Indian train ticketing company RailYatri has downplayed a data breach which was reported to have exposed the personal information of 700,000 customers.
Last week, security researchers from Safety Detectives disclosed how they discovered a publicly exposed search server maintained by RailYatri that was not password-protected or encrypted.
Exposed data included full names, ages, physical and email addresses, payment logs, and partial records of credit and debit card information, according to a blog post on the Safety Detectives website.
The researchers said they discovered the server issue on August 10, a day after it was exposed on the internet.
“Three days later, on August 12, our team reviewed the data, the server became the target of a Meow bot attack, leading to the deletion of almost all server data,” the post reads.
“Most of the affected users were based in India with our team estimating that around 700,000 individuals were likely to be directly affected by the breach.”
In an email sent to The Daily Swig, however, RailYatri downplayed the impact of the incident.
The vendor said that, after it was notified of the issue by CERT-in (Indian Computer Emergency Response team) a week ago, it disconnected the server immediately.
A spokesperson also said the incident concerned a test server, which contained only “partially replicated” logs.
“As a general protocol, any and all data older than 24 hours are automatically deleted from the server,” the spokesperson told The Daily Swig.
“Further, we would like to clarify that report suggesting 700,000 email addresses leaked in three days is factually incorrect as it would be impossible for that to happen since the server contains at most a days-worth of data.”
RailYatri did not deny that user data was publicly exposed, but said that it only stores partial details of customers.
“We would like to assure our users that RailYatri does not store financial and other sensitive data with the exception of some partial details,” the spokesperson added.
“We do not store credit card data on our servers. Data privacy is of utmost importance to us, and we have taken a thorough look at the issue to address it comprehensively. We are committed to the safety of user data.”
The Daily Swig has reached out to Safety Detectives for comment and will update this article accordingly.
RailYatri has also been contacted to clarify whether the datasets detailed in the disclosure, other than the email and payment card data, were exposed.