Protecting Your Privacy on Indian Railway Booking Portals

So last November, my friend Karan booked a Rajdhani from Delhi to Mumbai. Normal stuff — opened the IRCTC app during his lunch break, punched in names and ages for himself and his wife, paid via UPI, done. Two days later his phone started buzzing with calls from travel insurance companies. Then came the hotel offers. Then some random "tour package" SMS from a number in Jaipur. He hadn't signed up for any of it. He hadn't opted into anything. He just bought a train ticket.

That little episode got me digging into what actually happens to your data when you book a train ticket in India, and honestly, it's wilder than I expected. We're talking about a system that handles something like 25 to 30 lakh bookings on a busy day, and the data practices around it range from "mildly careless" to "why is this even legal." Grab some chai, because this one's a ride.

Here's What They Actually Collect

You probably think IRCTC just takes your name and phone number. You'd be wrong. Every time you make a booking, here's the data that gets scooped up — and I'm talking just the official platform, not the third-party apps yet.

Your full legal name, age, and gender for every passenger on the ticket. Your registered mobile number and email address, obviously. Your payment information flows through a gateway, but the platform still logs transaction IDs, timestamps, and payment methods. Then there's the stuff you don't think about: your IP address, your device type and operating system, your approximate location if you're on the app, and cookies that track your browsing behavior on the IRCTC website.

The really interesting bit is the pattern data. Book enough tickets and IRCTC has a detailed picture of your travel life — where you go, how often, who you travel with (co-passenger names and ages), whether you prefer AC or Sleeper, what times you typically travel. That's a behavioral profile, and it's worth money to advertisers. IRCTC's own privacy policy, if you've ever read it (and let's be honest, nobody reads it), mentions sharing data with "business partners" and "service providers" in language vague enough to drive a truck through.

Back in 2020, IRCTC actually floated a tender to monetize passenger data. They wanted to hand booking data to a consulting firm that would analyze it and sell insights. There was public backlash, the tender got pulled, but it tells you something about the institutional attitude toward your travel information. They see it as an asset, not a liability.

The Third-Party App Problem

Here's where it gets worse. Lots of people don't use IRCTC directly. They'll book through Paytm, MakeMyTrip, Goibibo, ConfirmTkt, RailYatri — apps that promise seat predictions, faster booking, PNR alerts, and a generally less painful user experience than IRCTC's sometimes-glitchy interface.

These third-party apps need your IRCTC login credentials to book on your behalf. Let that sink in for a second. You're handing your username and password for a government platform to a private company. Some of these apps also request permissions on your phone that have nothing to do with booking a train ticket: access to your contacts (supposedly to auto-fill passenger details), access to your SMS (to read OTPs automatically), and sometimes access to your location, camera, and storage.

Why does a train booking app need your camera? It probably doesn't. But once you grant permission, that access can be used for all kinds of background data collection. A 2024 report by a Bangalore-based security researcher found that at least three popular PNR tracking apps were sending device identifiers and usage data to advertising networks in real time — stuff that had zero connection to train bookings.

ConfirmTkt, to their credit, was fairly upfront about using data for "personalized recommendations and advertisements" in their privacy policy. Others weren't as transparent. The point is, every third-party app you let into this process is another entity holding your personal data, with its own security practices (or lack thereof) and its own commercial incentives for that data.

The PNR Problem That Won't Go Away

This one drives me nuts. Your PNR — that 10-digit number printed on every railway ticket — is basically a lookup key for your personal information. Anyone who has it can check your name, age, train number, boarding station, destination, coach, and berth number through half a dozen websites and apps. There's no authentication required. No OTP. No login. Just type the number and there's your passenger data.

Think about how many places your PNR shows up. It's on your e-ticket, which you might share on a family WhatsApp group. It's in your email confirmation. If you're traveling for work, it might be on an expense report that goes through multiple people. The delivery person who drops off food at your berth can see it. The TTE who checks your ticket can photograph it.

A few years back, security researchers pointed out that you could enumerate PNR numbers sequentially — just keep adding 1 to a known PNR and you'd get valid records for other passengers. Indian Railways partially addressed this by adding CAPTCHA and rate-limiting to their lookup API, but third-party apps and websites that offer PNR checks don't always have the same protections. Some of these sites are probably harvesting PNR query data to build their own passenger databases.

The fix here is genuinely simple: require OTP verification before showing passenger details, or only display partial information (berth number without passenger name, for instance). But it hasn't happened, and I suspect it's because everyone in the ecosystem — from the apps that built businesses around PNR lookups to the Railways themselves — benefits from that data being easily accessible. Convenience and privacy pulling in opposite directions, like always.

What About That E-Catering Data?

Here's one people overlook. When you order food on the train through IRCTC's e-catering service or through Zomato/Swiggy integrations, you're sharing your PNR, coach position, and real-time location (the train's route effectively tells them where you are at any given time) with food delivery partners. That's a live location feed tied to your identity, accessible to restaurant staff and delivery personnel along the route.

I'm not saying your biryani delivery person is going to stalk you. But the data flow is worth understanding. Your food ordering behavior on trains gets linked to your travel patterns, creating an even richer profile. And the restaurant partners in this chain are typically small vendors who aren't exactly running enterprise-grade data security operations.

The Data Breach History Nobody Talks About

IRCTC has had data security incidents before. In 2019, reports surfaced of a data leak affecting millions of users' personal details, including names, phone numbers, and email addresses. IRCTC denied it at the time, but users reported a spike in spam calls and phishing attempts shortly after. In 2023, researchers found an unsecured API endpoint that could potentially expose booking details when queried with valid parameters. These aren't isolated incidents — they're symptoms of a system that wasn't designed with data security as a priority and has been bolting on protections after the fact.

The fundamental issue is that IRCTC is primarily a ticketing operation, not a technology company. Its core competence is managing railway reservations at mind-boggling scale. Data security, privacy-by-design, encryption standards, access controls — these are afterthoughts in an organization where the primary metric of success is "did the booking go through." That's not a criticism of the people working there; it's a structural observation about institutional priorities. When the CEO is measured on ticket sales and system uptime, data privacy will always be a secondary concern.

Third-party apps are even worse in this regard. RailYatri suffered a significant data breach in late 2022 where user records were found exposed on an unsecured Elasticsearch server. The company confirmed the incident weeks after it was publicly reported. ConfirmTkt's data practices have been questioned by privacy researchers. And smaller PNR tracking apps that pop up and disappear from the Play Store — who knows what they're doing with the data they collect. You're trusting your travel information to companies whose security practices you've never audited and whose continued existence isn't guaranteed.

There's also the matter of data retention. How long does IRCTC keep your booking history? Their privacy policy says data is retained "for as long as necessary to provide the services," which is wonderfully non-specific. Does that mean they delete your booking from five years ago? Almost certainly not. Your complete travel history — every trip, every co-passenger, every route — probably sits in their database indefinitely. Under the DPDP Act's data minimization principles, that's questionable. But until someone files a formal complaint and the Data Protection Board takes it up, the practice will continue.

Okay, So What Do You Actually Do About It

Right, enough doom and gloom. Here's the practical stuff, things that take maybe 10 minutes total and genuinely reduce your exposure.

First, ditch the third-party apps if you can. I know IRCTC's interface isn't great, but it's gotten better over the past year, and you're cutting out an entire layer of data sharing. If you absolutely need a third-party app for waitlist prediction or something, at least create a separate IRCTC account for it — one that's not linked to your primary email or phone number. Use a secondary SIM or a Google Voice-type number.

Speaking of which, get a dedicated email for travel bookings. A free Gmail or Outlook account that you only use for IRCTC, airline bookings, and hotel reservations. All the spam and phishing attempts from data leaks go there instead of your main inbox. Takes five minutes to set up and saves you a lot of headaches.

Don't save payment methods on booking platforms. Yeah, it's convenient to have your card on file. It's also convenient for anyone who gains access to your account. Use UPI for each transaction — it's an extra 15 seconds and your card details aren't sitting in IRCTC's database.

Check your IRCTC profile settings. There's an option to opt out of promotional communications buried somewhere in there. Find it. Use it. Also review what personal details you've stored in your profile and remove anything that isn't strictly needed for booking.

On your phone, audit app permissions quarterly. Go to Settings, look at which apps have access to SMS, contacts, and location. A PNR tracking app that you installed once and forgot about shouldn't still be reading your text messages six months later. Revoke permissions you don't actively need, or just uninstall apps you're not using.

Stop sharing ticket screenshots on social media. I see people do this all the time — posting their booking confirmation on Instagram stories or Twitter as a flex or travel update. Your PNR is right there. Your name is right there. At minimum, scribble over the PNR and the barcode before you post anything.

And if you're booking from a railway station or a cafe, use a VPN. Public Wi-Fi networks are easy to snoop on, and entering your IRCTC credentials on an open network is asking for trouble. A basic VPN app costs nothing and encrypts your traffic.

What the Law Says Now

Under the DPDP Act, IRCTC and every third-party booking platform now qualifies as a Data Fiduciary. That means they've got legal obligations around consent — they can't just collect whatever they want and bury the disclosure in a 40-page terms of service document. You have the right to know what data they're collecting and why. You have the right to request correction or deletion of your data. And they're supposed to limit data collection to what's actually needed for the service.

"Supposed to" is doing a lot of work in that sentence, obviously. Enforcement is still getting off the ground, and it'll be a while before companies face real consequences for overcollection. But the legal framework is there, and having it matters. If nothing else, it gives you grounds for a formal complaint when a company plays fast and loose with your information.

The DPDP Act also introduces the concept of a Consent Manager — a registered intermediary through which you can manage your consent preferences across Data Fiduciaries. In theory, once Consent Managers are operational, you could use one to audit and withdraw consent across all the platforms that have your travel data. It's an appealing idea. Whether the railway booking ecosystem will integrate with Consent Managers in any meaningful way remains to be seen. IRCTC has historically moved at its own pace on compliance matters, and third-party apps have even less incentive to make it easy for you to revoke their data access.

It might also be worth keeping an eye on how the Central KYC norms intersect with railway bookings. There's been periodic talk about linking Aadhaar to IRCTC accounts for identity verification, particularly for senior citizen concessions and certain quota bookings. If that happens, the data that IRCTC holds about you gets dramatically more sensitive, and the stakes around its protection go way up.

Back to Karan

So whatever happened with my friend? He tried complaining to IRCTC's grievance portal. Got an auto-reply. Followed up twice. Eventually someone responded saying his data was "securely managed" and that third-party marketing communications were "not affiliated with IRCTC." Classic. He ended up blocking about 15 numbers manually, switched to a dedicated travel email, and stopped using the third-party app he'd been booking through.

He also registered on the TRAI DND (Do Not Disturb) registry, which blocks most telemarketing calls, though it doesn't catch every category. And he started checking his IRCTC account's login history periodically — something most people don't know exists — to see if anyone had accessed his account from an unfamiliar device or IP. No unauthorized access so far, but he's keeping an eye on it.

The spam slowed down after a couple of weeks. It didn't stop completely — once your number is in a telemarketing database, it sort of circulates forever — but the flood became a trickle. He's back to booking on IRCTC directly now, swearing at the interface but keeping his data a little closer to his chest.

The whole experience changed how he thinks about data sharing generally, not just for train bookings. He's more cautious with apps now, reads permission screens more carefully, and doesn't hand over information unless he understands why it's needed. One bad experience did more for his privacy awareness than any number of articles like this one. Though I'd prefer it if people learned from articles rather than from spam floods.

That's probably the most honest conclusion I can offer. You're not going to achieve perfect privacy when you're using a system built for scale rather than security. But you can close the biggest leaks, cut out unnecessary middlemen, and make it slightly harder for your train ticket to become someone else's marketing opportunity. That's worth the ten minutes.