Indian Railways Is All Set To Sell Citizen’s Data To The Highest Bidder

Up till now, we have heard of a multitude of instances where hackers attack data centers to access customer data. The frequent data breaches and hacking attempts for data (instead of money) show the importance and worth of these databases. It seems the Indian Railways have also realized this potential. According to recent news, Indian Railways is planning to sell its database gathered through the IRCTC website.

Indian Railways Looks For The Highest Bidder To ‘Buy’ Their Data

People may now witness the very first incident where the Government of a country sells its citizens’ data. India’s biggest eCommerce entity that plans to “utilize” their “customers’ data” is IRCTC – the website for booking Indian Railways’ tickets.

The IRCTC website bears around 30 million registered users, whereas, it receives approx. 60 million visits each month. Having an average of 2 million visitors per day, IRCTC issues roughly 700,000 tickets each day. The customer details collected by the IRCTC website include names, contact numbers, age, meal preferences, income bracket, and other minute details. Considering these statistics, one can believe that the size of the data compiled every year to the IRCTC website would range up to 100 terabytes. That makes IRCTC a ‘treasure trove’ of data.

Last month, the Indian Railways revealed its plans to make money through this data. According to a statement by the Indian Minister of Railways, Piyush Goyal at a news conference,

“There’s huge data with the company and that’s not getting captured in the valuation. We’re trying to see how we can utilize that.”

However, never did they explicitly state their plans to literally “sell” the data. Rather they hinted more towards “data analytics” as mentioned by former Railway Minister, Suresh Prabhu

“The Indian Railways is one of the largest data creators in the world. It has to handle a large volume of data which needs to be used wisely. Data analytics is a way forward,”

Reportedly, the selling of data constitutes a large part of the IRCTC disinvestment plan.

Data Scientist Expresses Concerns

Quoting the comments of Vasant Dhar, professor and data scientist at the Stern School of Business and the Center for Data Science at New York University, states,

“Something about this just rings strange to me,” said Vasant Dhar, noting that when a passenger gives the railways her data, she doesn’t expect the data to be sold further for profit. Sharing IRCTC data as part of a disinvestment deal, he said, would mean that data given to the railways as a custodian would be passed on to unknown third parties. “Companies should monetize data,” Dhar said. “You should expect something very different from the government.”

Previous Railway Minister Already Gave A Hint About It In Previous Years

The actual picture of data selling was cleared recently. However, the plans to monetize data by the Indian Railways aren’t new. In 2016, the previous Minister of Railways, Suresh Prabhu, expressed his vision to increase revenue for Railways in a press release. It states,

“Railways to monetize the data collected on passenger preferences, ticketing, commodity, train running on various services and operations. IRCTC also offers opportunities of taking of e-commerce activities on large number of hits that it receives.”

Then again, in 2017, the matter to monetize the gigantic database of IRCTC gained limelight. According to an official from IRCTC,

“We’ve asked KPMG to evaluate options to see if it makes sense to set up a subsidiary, a joint venture, or a special purpose vehicle through IRCTC (Indian Railway Catering and Tourism Corp. Ltd) to look at the options to monetize data.”

However, at that time, people could only speculate about different marketing strategies through which IRCTC could make money. Selling the data, that too, by the Government is a unique event.

What Next?

Although, India has no explicit policies similar to EU’s GDPR. Yet, their Information Technology Act 2000 covers major clauses regarding cyber crimes, privacy and security breaches. According to the 2011 amendments in the data privacy rules of the IT Act, written permission/user consent is necessary before storing, selling, or sharing the data. Failure to do so could lead to legal actions. However, in this case, despite having no user consent for selling of data, it is difficult to predict the scenario for a Government department.

The Indian Railways is the eighth largest employer in the world, having around 1.4 million employees in 2015. Having so many employees on board, it is a paradox to sell its customers’ data who may have one or the other link with one or more of its employees. Such a decision might put a question mark on how the department plans to maintain the privacy and security of its employees’ data.

We shall keep you updated about the matter as we get to know more.

In the meantime let us know your thoughts below.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

How to Improve Your Cyber Resilience by Strengthening User Privileges