Indian Railways Should Secure Data Before Monetising It
indian railways pnr status check
pnr status welcome to indianrailway passenger reservation enquiry
how to check pnr status for indian railways
IRCTC may or may not have already been hacked; the railways does because there are no compulsory disclosure laws in India, n’t need to inform you about it. Indian Railways (IR) has other portals for ticket reservations, IRCTC is just one of the major public-facing portals. Most of those railway portals are still running on protocols that are unsecured, they don’t use any type of security certificates yet and thus fall victim for hackers readily.
It's no secret the railways has bugs in their portal sites, the notorious bug of text that was being that was captcha is definitely laughed around in reddit and quora threads. If you are familiar with the Indian Railway Fan Club Association and are a railway enthusiast, you'll understand the way the moderators needed to block people posting internal data from Integrated Coaching Management System, an internal portal of the railways.
OTAs (Online Journey Aggregators) exploit several security bugs and hit railway servers constantly, data mining thousands of data records. Some decrypt encrypted content in violation of the IT Act. They are even monetizing realtime railway info from the limited permissions to use them. You can’t have any railway property illegally according to the RAILWAYS PROPERTY (Unlawful Possession) Act 1966; it follows that railway info is its property also. At the moment information PNR status, like train status, ticket availability would fall underneath the data that is public. But OTAs getting it using exploits in code make the info illegal, irrespective of it being people already. These practices of OTAs could prove potent at a time of calamity.
When Estonia was attacked it showed the world how impactful cyber warfare could be. Everything from banking to communications was strike. Every other government started fortifying its IT infrastructure and started using precisely the same approaches as the NSA, when Snowden made the disclosures about the scale of NSA security snooping. The Chinese often use their great firewall for both censorship and attacks and aren't far behind the Americans.
Railways is critical infrastructure to the country, any weakness can be quite a significant risk. Recognizing that, IR came up in 2008 with a Basic Security Policy. But a recent CAG report from 2015 on IT infrastructure for team management points out that nearly 90-100% employees use precisely the same password, sidelining the system made for role-based access management. Several contract workers are provided with exactly the same username and password defying the whole logic of the policy.
The way railways is using Information Technology to reach individuals and help them over social media is astonishing, but at exactly the same time there is no place for someone to report security bugs. Bug bounty software in many cases are utilized by the business to address it’s security issues utilizing the expertise from professional security experts and hobbyists. In the present budget year, Indian railways is spending 50 crores to finance inventions in the space of data, part of which focus on cyber-security according to Mr. Suresh Prabhu.
What the railways is forgetting to understand is this: purchasing a cybersecurity alternative is not planning to solve their problems. It's the culture in CRIS which needs to transform. The minister continues to be stressing on the significance of change in the 150-year old organization. In case it means to tackle cyber security, it requires to improve CRIS personal. Railways can set an example by assembling a skilled IT team to help CRIS and re -innovate itself. The net moves really fast, today’s security is tomorrow’s susceptibility along with the railways have to begin adjusting to it.
Railways lately began adopting the National Data Sharing & Accessibility Policy (2012) to an extent; the chief data officer for railways has opened up a number of the train time tables (around 2800 trains) on Open Government Info Portal. The policy needs to classify datasets into private public & limited data. It's high time railways start improving its data practices, releasing open data, open API’s and closing security loopholes of sensitive information by possibly embracing a bug bounty program. It is crucial for railways to secure before it attempts to monetize it, info is ’sed by it.