Over 31 million people’s personal information was exposed as a result of a massive data breach at RailYatri, India’s government-approved online travel agency. An online database of private information has been released, and it is thought the breach occurred late in December 2022.

Founded in 2011, RailYatri is an Indian travel marketplace endorsed by the government that serves about 24 million passengers per day through its travel network. In addition to offering bus and train tickets for domestic Indian travelers, the company also offers an app, which can be downloaded from Google Play and the App Store.

Users can purchase bus and train tickets from the Indian Railway Catering and Tourism Corporation (IRCTC) on RailYatri’s website, as well as check live train timings, trip status, offline timetables, seat availability, and offline GPS train tracking.

Unprotected Server Leads to Leaks

RailYatri’s data breach is not a common instance of hackers exploiting flaws, collecting data, and then releasing it. As a matter of fact, a report issued claims that back in 2020, when cybersecurity expert Anurag Sen discovered a misconfigured Elasticsearch server that was accessible to everyone online without a security password or any authentication. On 12 August 2020, the server became the target of a Meow bot attack, leading to the deletion of almost all server data.

As the report further points out, most of the affected users were based in India with an estimate of 700,000 individuals directly affected by the breach.

Possibly the most damaging aspect of the data breach was the partial credit and debit card payment logs, which included the name on the card, the first four digits of the card number, the card-issuing bank, as well as the expiration date of the card.

According to Cyber Security News, other leaked data included:

  • Full names
  • Age
  • Gender
  • Physical addresses
  • Email addresses
  • Mobile phone numbers
  • Payment logs
  • Partial records of credit and debit card information
  • Unified Payment Interface (UPI) ID
  • Train and bus ticket booking details
  • Travel itinerary information including which stations passengers boarded/disembarked
  • Users’ GPS location information including MCC, MNC, LAC, and CellID data
  • Authentication token information
  • User session logs including login times

What Are the Risks?

The risks associated with disclosing personally identifiable information (PII) are obvious. It is possible to use users’ contact information for fraud and to use personal data exposed in the hack to incite malware downloads and click-throughs.

Any small piece of seemingly innocuous information can be collated by malicious actors, to be used later or in parallel with other information in order to deceive the intended target.


It is also important to note that location data has been leaked. Using RailYatri’s server, users could record and store their location information when booking tickets and track their progress with integrated GPS functionality. Hackers could use this information to locate the nearest cell tower to the user, as well as their current location.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Indian Government Agencies Targeted by Updated ReverseRAT Backdoor

What Is Data Erasure?

Data Leaks: How An HR Platform Left Employees’ Private Data Exposed

Cricket Platform Exposed over 100k Customer Data Entries

What Is Data Leakage?

What Is a Data Breach and How to Prevent It

Leave a Reply

Your email address will not be published. Required fields are marked *