Amid serious allegations that personal data of over one crore passengers may have been hacked into in a massive data-theft, Indian Railways claimed on Thursday that no “sensitive data” posing financial risk has been compromised from the e-ticketing system of IRCTC, India’s largest e-commerce portal.

In damage control mode, the Railway Ministry said in a statement that an expert committee formed early this week to look into the matter in its preliminary report has “not found any indication of breach of security in any of the databases of the e-ticketing system”. However, further investigations are on and the expert committee has sought details of the leaked data.

This comes after the Maharashtra cyber security cell alerted the Western Railways early this week that massive user profile data may have been hacked from its system. The Railway Board was immediately apprised by the Western Railways, which, according to officials, held an emergency meeting on May 2 and formed a six-member expert committee with equal representation from the Indian Railway Catering and Tourism Corporation (IRCTC) and the Centre for Railway Information Systems (CRIS), the IT arm of the Railway Ministry that maintains the IRCTC website.

While officials BusinessLine contacted said they would only be able to give an informed comment after going through ‘the purported leaked data’ and ‘fully understanding the nature of it’, a statement put out by the Railways tried to underplay the security threat of the alleged data-hacking by suggesting that no leakage of ‘sensitive’ data has been reported.

‘No ordinary matter’

Pavan Duggal, Cyberlaw expert, said: “The IRCTC leak represents the biggest and largest reported personal data security breach in India. It is no ordinary matter but represents a massive attack on India’s critical information infrastructure, ultimately aimed at prejudicially impacting India’s cyber security and sovereignty.

“It has taken advantage of the fact that India does not have a dedicated data protection law in India and that the existing Indian cyber law takes such matters very lightly. This incident needs to be a wake-up call for all stakeholders to proactively work in ensuring compliance with applicable laws, cyber security regulations and international best practices.”

The data of e-ticketing system can be broadly categorised into two categories — sensitive information like debit/credit card details, login id, passwords, which could cause potential financial risk. “PAN card detail is not required for booking e-ticket. No sensitive data has been alleged to have been leaked,” stated a Railway Ministry release.

It added that other data like mobile number and email-ids are available with a large number of electronic service providers, e-commerce firms and telemarketers. E-mail and mobile numbers have to be shared with service providers for providing catering, cab and SMS services, and hotel bookings. Till now, leakage of data through none of the service providers of IRCTC has been established, the statement said. While IRCTC is the ticket booking website, the e-ticketing system is managed in-house by CRIS. The data centre is in the premises of CRIS, stated the Railways.

As soon as the matter came to notice of the Railways on May 2, the government said it conducted thorough investigations to detect the veracity of the claims, but no such incident has been detected by the technical teams of CRIS or IRCTC. AK Manocha, Chairman and Managing Director of IRCTC, has also written to the Delhi police’s cyber cell to inquire into the matter.

The IRCTC website has a user base of over one crore, and at least five lakh tickets are booked daily.

To log in and book tickets, each user has to create an account, share personal information, including email id and mobile number. This sort of data is greatly valued by companies for targeted or customised marketing in the digital era.