A cyber security firm first spotted the exposed data and reported that the server had no encryption or password protection that could save the users’ data.
Anyone with the server’s IP address could access the data on the Elasticsearch server, a group of safety detectives stated in a blog. The report also claimed that the data that was left out mostly belonged to Indian users.
Railyatri team said it is trying to resolve the vulnerability that was spotted.
“At RailYatri, we take the safety and privacy of our user-base seriously, and as soon as the issue was brought to our notice by CERT-In (Indian Computer Emergency Response team) a week back, our team was instantly on its feet in efforts to resolve the issue then and there. Post receiving the information, the testing server port was plugged immediately from the network. The server in question was a test server, and some of our logs were partially replicated on the same. As a general protocol, any and all data older than 24 hours are automatically deleted from the server,” the statement by Railyatri read.