- A security flaw in Railyatri has alleged exposed the users' data of as many as 7 lakh passengers.
- Railyatri platform has accidentally exposed the UPI data, debit card details of users due to flawed security policies.
- Some of the details included names, phone numbers, email ids, ticket details and credit, and debit card numbers of the users.
A security flaw in Railyatri has alleged exposed the users' data of as many as 7 lakh passengers. As per a report, the Indian ticketing platform has accidentally exposed the UPI data, debit card details of users due to flawed security policies that have put the data of so many users at risk. Some of the details included names, phone numbers, email ids, ticket details and credit, and debit card numbers of the users.
As per a report by The Next Web, the data that was accidentally exposed by Railyatri was saved on an unsecured server. A security firm, who first spotted the vulnerability, reported that the server had no encryption or password protection that could save the users' data. A group of safety detectives stated in a blog that anyone with the server's IP address could access the data on the Elasticsearch server. The report also claimed that the data that was left out mostly belonged to Indian users.
However, in a statement to NDTV, the Railyatri team said it is trying to resolve the vulnerability that was spotted.
"At RailYatri, we take the safety and privacy of our user-base seriously, and as soon as the issue was brought to our notice by CERT-In (Indian Computer Emergency Response team) a week back, our team was instantly on its feet in efforts to resolve the issue then and there. Post receiving the information, the testing server port was plugged immediately from the network. The server in question was a test server, and some of our logs were partially replicated on the same. As a general protocol, any and all data older than 24 hours are automatically deleted from the server." the statement by Railyatri read.
The team also falsified the report that claimed that the data of 7 lakh users was exposed due to the security flaw found in the ticketing platform. "Further, we would like to clarify that report suggesting 7,00,000 email addresses leaked in 3 days is factually incorrect as it would be impossible for that to happen since the server contains at most a days-worth of data," the team said in a statement.
However, Railyatri outrightly denied claims of storing users' financial data on its platform. Rubbishing the reports, they said, "We would like to assure our users that RailYatri does not store financial and other sensitive data with the exception of some partial details. We do not store credit card data on our servers. Data privacy is of utmost importance to us, and we have taken a thorough look at the issue to address it comprehensively. We are committed to the safety of user data."