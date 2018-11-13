The person responsible for discovering the flaw, security researcher Avinash Jain, estimated that some 200,000 passengers and their details would have been susceptible to being stolen.

IRCTC, the agency that handles the catering, tourism and online ticketing operations of the Indian Railways, took nearly two years to fix a security flaw on its website and mobile app link. The bug would have given attackers access to passenger details such as name, age, gender and insurance nominees without their knowledge or consent. The person responsible for discovering the flaw, security researcher Avinash Jain, estimated that some 200,000 passengers and their details would have been susceptible to being stolen. The bug was discovered on August 14 by him and fixed 15 days later.

India faces the highest number of cybersecurity threats in the Asia-Pacific region with over 500,000 alerts daily, according to cybersecurity report, Cisco 2018 Asia-Pacific Security Capabilities Benchmark. Union ministries and elite security agencies, apart from government bodies, have been victims of a wide range of cyber attacks, from website defacement to ransomware. While many companies have invested millions in ethical hacking incentive programmes, last year, the US’s Department of Defence launched the federal government’s first such programme. While the thought of government agencies in India investing in these programmes might still seem farfetched, Indian hackers top the charts globally both in terms of numbers and payout according to Bugcrowd, an ethical hacking platform. The Indian Computer Emergency Response Team (CERT-In), the governmental nodal agency for dealing and handling of cybersecurity threats, had less than 1% of the reported number of incidents come from security researchers. There is definitely no lack of talent and know-how when it comes to cybersecurity research and knowledge in India, but the government must provide more incentives for it to harness the nation’s cybersecurity potential. The upcoming data privacy law, like the EU’s GDPR, should also offer legal protections to those who unearth security flaws in agencies.