Two held over information theft

Breach of security on railway ticket site prompts data safety concerns

Law enforcement authorities have detained two people suspected of stealing and disclosing private information about railway passengers, as Internet security companies continue to warn about security bugs on the ticket-booking website.

The two suspects, identified as Jiang and Shi by the railway police, allegedly tried account names and passwords that they collected through bugs from other websites on China Railway Corp's ticket booking website, 12306.cn, according to a statement released on Friday by the company.

Once the account names and passwords matched on 12306.cn, they obtained user information stored in the system and then sold it, the State-owned railway operator said.

Chinese media reported on Thursday that the personal information and passwords of more than 130,000 users of 12306.cn had been leaked on the Internet, posing a serious threat to their information privacy.

User information registered on the ticket booking website includes real names, ID card numbers and phone and email contacts. A user's account may also include information about family members and friends. China's railway tickets are sold based on ID information.

The incident took place as millions of Chinese are struggling for a hometown-bound train ticket during the annual Spring Festival travel rush. The news has caught extensive attention from the public as nearly 3.5 million tickets on average would be bought each day via the website during the 40-day rush.

Chinese tradition holds that people should return home and spend Spring Festival, the most important Chinese holiday, with their families, which creates an annual travel rush that is arguably the world's largest recurrent human migration.

The coming Spring Festival falls on Feb 19. The chunyun in 2015 will begin on Feb 4 and last until March 16.

In 2014, about 266 million trips were made on railways, up 12 percent from the previous year.

China Railway Corp assured people that their passwords have been encrypted so they will not be leaked from the website.

Nevertheless, using the same password for different websites or buying tickets from a third-party website increases the risk of the information leaking and should be avoided, it noted.

In response to the company's guarantee, two major Internet security service providers have suggested that passengers should use caution when booking tickets on 12306.cn because it still contains serious bugs.

Beijing Rising International Software, one of China's leading anti-virus software makers, said there are several bugs on the ticket booking website, that can enable hackers to control its branch servers, attack the website and even grab all information in its database.

Qihoo 360 Technology, another popular Web security firm, said the logon system of 12306.cn's smartphone applications has loopholes that can be used by hackers to circumvent the safety measures.

The company added that it has submitted related information to the National Computer Network Emergency Response Technical Team/Coordination Center to help handle the incident.

"Internet users should change their passwords on a regular basis and set sophisticated passwords for important accounts," said An Yang, a computer security researcher at Qihoo.

zhaolei@chinadaily.com.cn