August 25 2020: Pro bono cybersecurity service, Safety Detectives, has reported a significant data breach at the popular Indian travel booking app, RailYatri that exposed all production server information and led to the loss of over 43GB of data.
The affected server was left publicly exposed without password protection or encryption for several days which meant anyone with the server’s IP address, could have gained access to the entire database
Safety Detective’s security team, led by Anurag Sen, discovered the server vulnerability on 10 August 2020 after it became exposed on the Internet on 9 August 2020. Three days later on 12 August 2020, Sen and his team reviewed the data, the server became the target of a Meow bot attack, leading to the deletion of almost all server data.
Most of the affected users were based in India with our team estimating that around 700,000 individuals were likely to be directly affected by the breach.
As a means of resolving the security breaches our team discovered, Safety Detectives informed the affected company as soon as practically possible. Failing to receive a reply regarding the data breach, our team reported its findings to the Indian national Computer Emergency Response Team (CERT-In), a government agency responsible for national cybersecurity. The server was secured the following day.
Founded in 2011, RailYatri is a government-sanctioned Indian travel marketplace that currently serves a travel network with around 24 million passengers per day. The company sells bus and train tickets for domestic Indian travellers and operates via the web and through an app, available on both the App Store and Google Play. As of the start of August, RailYatri’s mobile app has been downloaded more than 10 million times via Google Play.
According to Safety Detective, the type of information discovered on RailYatri’s unsecured server include:
- Full names
- Physical addresses
- Email addresses
- Mobile phone numbers
- Payment logs
- Partial records of credit and debit card information
- Unified Payment Interface (UPI) ID
- Train and bus ticket booking details
- Travel itinerary information including which stations passengers boarded/disembarked
- Users’ GPS location information including MCC, MNC, LAC and CellID data:
- MCC: mobile country code to identify country
- MNC: mobile network code to identify mobile operator
- LAC: location area code to identify pockets of base stations
- CellID: unique number to identify each base transceiver station or sector
- Authentication token information
- User session logs including login times
Possibly the most damaging aspect of the data breach is the fact that the researchers discovered partial credit and debit card payment logs including the name on the card, the first and last 4 digits of the card number, the card-issuing bank and card expiry information.
Thankfully, the leaked payment information was suppressed to reveal only partial copies of card numbers. This drastically reduces the chance of a malicious financial scam; however, resourceful hackers could still use the information on the server to launch phishing scams to induce victims to hand over their financial information.
Safety Detectives’ full report can be found here
Summary of findings:
Number of leaked records: 37+ million
Number of affected users:Approx 700,000
Size of breach: 43+ gigabytes
Server location: Netmagic data centre in Mumbai, India
Company location: India