Indian Railways has revealed it has suffered “a number of incidents … regarding breaches in various IT applications” and appears to have blamed some of them on sloppy infosec practices among staff working from home due to the COVID-10 pandemic.
The organisation’s document [PDF] announcing the cyber-transgressions says “a majority of these are application related,” but doesn’t explain what applications were impacted nor the extent of the intrusions.
Which is a little scary, as Indian Railways says it has 1.54 million people on the payroll, plus serves 13 million passengers a day, and about a million of those book tickets using what the organisation describes as “computerised reservation facilities.” The organisation is known to operate an intranet, a Freight Operations Information System and almost certainly many more applications besides. The Register would be surprised if it does not have a fabulous tangle of legacy systems and more modern kit.
UK govt finds £200,000 under sofa to kick off research into improving mobile connectivity on nation’s crap railways
And then there’s the 108,000km of tracks, 6,853 stations, and 11,000-plus daily services the organisation operates.
India requires government organisations to file data security breach reports, though they are not made public. The Register has asked Indian Railways to explain what applications were compromised, and if these break-ins resulted in any risk to the public. We will update this story if we receive a substantive response.
Indian Railways has tied some of the incidents to “improper handling of the IT assets by the personnel in general,” and said the security incidents have increased “as electronic working gets further proliferated.” Staff have been ordered to undergo infosec training to ensure they don’t place the organisation at further risk. ®