IRCTC hacking.. What Next?

It has been reported that the IRCTC servers have been hacked and data base of millions of users compromised.

See article here

It is also learnt that the information is available on CDs for Rs 15000/- . (From unconfirmed private sources)

The fact that IRCTC has been hacked is no surprise. It perhaps happened long back and we have come to know of it only now.

The point that IRCTC does not have proper Information Security systems is being discussed in other fora.

At this point of time, it is not clear what information has been compromised and made public. If it is only the personal information about the name and e-mail address and used for spamming, it is perhaps tolerable.

However, if sensitive personal information including the Password, the PAN card detail, the Credit Card or Bank details have been compromised, it is unpardonable.

In such a case action should be initiated by Police and there is a need to send some body in IRCTC to jail.

It is a failure of the reasonable security practice under ITA 2008 and an assistance to commission of further frauds through recklessness with or without financial benefits.

At the same time, we cannot estimate when a past customer of IRCTC would be hurt. His confidential data may be used any time in the future to commit a fraud. Hence there is a need to protect every customer of IRCTC from possible future loss.

For this purpose IRCTC must immediately pick up a Cyber Insurance Contract and cover all their account holders against possible identity theft related losses in the next 3 years upto say an amount of Rs 5 lakhs. Whatever be the cost of such an Insurance must be boarne by IRCTC.

IRCTC should also immediately give a notice to all its customers by individual e-mail as per standard “Data Breach Notification Policy” (Please see CLCC for a draft of a model policy).

If such a policy has not been adopted, it confirms the lack of “Due Diligence”.

In January, TOI carried an article titled “IRCTC website a sitting duck for Hackware”. This was a notice on which remedial action should have been initiated.

Naavi.org has itself raised the possibility of hacking way back in August 2010 and also recently asked if IRCTC should have taken Cyber Insurance.

However, IRCTC has not taken any remedial measures and even now a google search on “IRCTC hacking” reveals many sites promoting hacking of IRCTC.

All this indicates complete negligence of the Information Security responsibilities at IRCTC for which the persons responsible must be held accountable.

I suppose some body should take up a PIL on this account.

The Supreme Court takes up many less worthy cases on Suo Moto basis and there are activists who hoist PIL litigation for innocuous matters which Courts spend time on.

Will any responsible Judge consider it worthwhile to take up this case on a Suo Moto basis and ensure that people who have shared their personal data with IRCTC are protected against losses arising out of the identity theft?

The PRO of IRCTC seem to have given a statement that the “Website of IRCTC is not hacked”

The PRO may not be aware that  it would not have mattered much if the website had been defaced rather than the data having been compromised. He is either unaware of the damage or has not shared the info with the public. Hope IRCTC releases a note through their website what exactly has happened and what are the risks to the public.

P.S: Will Aadhar data base be the next on CD on the streets?

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

One Response to IRCTC hacking.. What Next?

  1. Kapaleeswaran says:

    Good one ! Can you specifically enlighten as how a common man could be impacted by such compromised data. Suppose, my card number and phone numbers are taken. Other than irritating telemarketing nuisance, what other risks would one be exposed to ? Kindly elaborate

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.