Home / Hacking / UP govt bus booking site compromised customer data of lakhs of passengers – ETtech.com

UP govt bus booking site compromised customer data of lakhs of passengers – ETtech.com

UP govt bus booking site compromised customer data of lakhs of passengers
Government-run Uttar Pradesh State Road Transport Corporation (UPSRTC) allowed hackers to access lakhs of customer data including names, mobile number, address, date of birth, personally identifiable information (PII), partial debit and credit card number, transaction and booking details for years due to a vulnerability on its website.

The vulnerability was spotted by security researcher Avinash Jain in August last year who reported it to the Indian Computer Emergency Response Team (CERT-In), the agency that handles cybersecurity threats to fix the issue. The issue was fixed earlier this year. UPSRTC currently manages the booking of the highest fleet of buses in North India.

Speaking to ET, Jain said that there was a SQL injection in a URL parameter, as it lacked even the basic protection, which let an attacker easily access the complete database and all its information. Jain estimates that the data was at risk for years. “I could access lakhs of customer data but did not count the exact number of the exposed data,” he said.

ET could not independently verify if any passenger data was stolen during the period that the bug existed. E-mailed queries sent to CERT-In did not receive any response till the time of publishing the article.

In August last year, UP Police also arrested four hackers including two juveniles for booking free online tickets due to a compromised payment gateway.

Last month, it was reported that over 260 phishing incidents were observed in the first five months of 2019 as per the information available with the Indian Computer Emergency Response Team (CERT-In). Further, as per the information reported to and tracked by CERT-In, 552 phishing incidents were observed during the year 2017, while in 2018, the number stood at 454, and in 2019 (till May) it was 268. Over 100 government websites, including some managed by the National Informatics Centre (NIC), were hacked in 2018.

India (23%) and the United States (20%) are the top two countries represented by the HackerOne hacker community. Other countries Russia (6%), Pakistan (4%) and United Kingdom (4%) add smaller numbers to the 166,000-plus registered user base of ethical hackers, as per the 2018 Hacker Report.


Source link

About

Check Also

Building China's Comac C919 airplane involved a lot of hacking, report says – ZDNet

A report published today shines a light on one of China’s most ambitious hacking operations …