IRCTC Selling User Email IDs To Spammers And Here Is The Proof

saw an interesting tweet from a friend today on Twitter timeline which said, “Apparently IRCTC is selling its email database to spammers. Getting SPAM on my irctc-only email address”.

I was quite surprised by this, because IRCTC is a big huge government organization, and a bureaucratic one too. For IRCTC, as a organization, to sell user email IDs to marketers or spammers is something I could not believe. So, I decided to dig further. It became quite clear that the email ID on which he received the unsolicited email was used for nothing else apart from IRCTC account registration .
Many users who value their privacy generally use different custom email IDs for registering on different websites (they do it by way of catch-all email functionality, where prefix of mail could be anything and yet all mails arrive at same mailbox), so when they receive any spam on a particular ID, they immediately know the source from where the email ID has been leaked.
In this case it was the ID specifically created for IRCTC: All the emails have been sent to – the email that was created for IRCTC registration. This email was not used elsewhere for any other purposes.

It is quite safe to say that it was not one-off instance and clearly a case where his IRCTC email ID was sold (or shared) to marketers.
Now, just to make sure that IRCTC does not have permission of sharing users’s email IDs, we went through the terms and conditions as well the privacy policy of IRCTC website. It clearly states that they do not collect any information. Here is the screenshot of what IRCTC website says:


Forget about sharing the email ID, the privacy policy mentions that they do not even collect any unique information about users such as your name, email address etc.
Now, I do not know who has drafted this privacy policy, but they clearly do collect user’s email addresses, name and some other personal information as well (How else would they show it in user account everytime they login)! However, they also clearly mention that IRCTC will not share your personal data with advertisers, business partners, sponsors, and other third parties without your express consent.
Does IRCTC sell registered user Email IDs?

We surely have a clear proof that IRCTC email address is compromised, but the question is whether IRCTC themselves do it?
In our view, it is nearly impossible for a govt organization to do anything of this sort. But think about people working inside IRCTC. The system administrators or the software engineers or anyone who has access to the database. They have access to millions of email addresses and that is a potential gold mine and easy money!
In all probability, IRCTC employees having access to user database are responsible for email ID compromise.
Having said that, from user perspective, it is IRCTC who is responsible for the breach and not any one single employee (and hence the title)!

Credit: Arun Prabhudesai

Tagged , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: