From Queues to Clicks to Crackdowns: The Full Story of IRCTC's Security War

For most of India's working population, the ability to book a confirmed train ticket is not a convenience — it is a survival skill. In a country where 13 million passengers travel by rail every single day, the queue at a railway reservation counter was once the great equaliser: exhausting, opaque, and easily gamed by those with money, connections, or the patience to stand in line from 5 AM. When IRCTC moved that queue online, it promised to democratise access. What it did instead, for many years, was recreate the same inequity in digital form — faster, more sophisticated, and considerably harder to regulate.

The figures released for 2025-26 tell a story of remarkable operational scale: 14.53 lakh tickets booked per day on average, 37,410 tickets booked in a single minute, 89% of all reserved tickets sold digitally, and the deactivation of 3.03 crore suspicious user IDs. But these numbers only make sense when read against the decades of dysfunction, fraud, and institutional failure they are slowly — and incompletely — overcoming.

Chapter One: The Promise and the Reality of Going Digital

IRCTC was established on 27 September 1999 as a public sector undertaking wholly owned by the Government of India through Indian Railways. Its online ticketing platform launched in 2002, and the ambitions were transformative. Before digitisation, railway bookings could consume an entire working day, with potential passengers lining up as early as 5 AM. The only way to check seat availability was at a physical counter. Cancellations and modifications required repeating the entire ordeal. 

Into that gap, an entire shadow economy had flourished. The secondary market for railway bookings was a thriving business. Middlemen purchased tickets beforehand — often through bribed station staff — and resold them at prices as high as double the base fare. The quota system, which reserved seats for defence personnel, government employees, and various caste categories, made the system even more opaque, giving middlemen a structural advantage over general category passengers.

IRCTC relied only on word-of-mouth publicity and had a slow start. In 2002, only 27,000 tickets were being booked online per day, growing to just 40,000 by 2008. The platform was underpowered, poorly marketed, and often inaccessible to users without reliable broadband. The touts were not disrupted — they adapted, moving their operations online alongside everyone else.

Chapter Two: The Problems That Came with Scale

As internet penetration expanded and smartphone adoption accelerated, IRCTC's volumes exploded — and so did its vulnerabilities. By 2012, the Railway Minister was admitting in the Rajya Sabha that 20-25 complaints were received every day about the IRCTC website becoming inaccessible during early hours and about booking transactions failing after passengers had already been charged. 

This was not just a technical embarrassment. It was a systemic failure with real human cost. A passenger whose payment was deducted but whose ticket was not confirmed faced an ordeal of refunds, re-bookings, and lost travel plans. The platform that was supposed to eliminate the suffering of the physical queue had simply replaced it with a new kind of digital suffering — one that was, if anything, more disorienting because the failure happened invisibly, at the moment of greatest urgency.

The Tatkal system — designed to allow last-minute bookings at a premium — became the most acute flashpoint. A sense of disillusionment spread among users who compared India's global reputation for information technology excellence with the perceived fragility of its most vital public transport booking portal. Some accounts highlighted the specific struggle of common passengers, suggesting that the system inadvertently favoured automated bots or specialised agents, leaving the average traveller at a distinct disadvantage. 

That suspicion was entirely correct.

Chapter Three: The Bot Economy

As IRCTC scaled up, professional fraudsters built a parallel infrastructure specifically designed to exploit it. An investigation revealed how organised groups were exploiting loopholes in the IRCTC system, making it nearly impossible for ordinary citizens to get a confirmed seat. This illicit trade operates openly on popular messaging platforms like Telegram and WhatsApp, where a key commodity is sold: Aadhaar-authenticated IRCTC user IDs, priced at around ₹360 each. 

The fraudsters relied on advanced "bots" — automated software programs — and special browser extensions designed to fill in all booking details, from login credentials and train information to passenger names and payment details, in less than a minute. This lightning-fast process overwhelmed the IRCTC system, pushing genuine users out. To evade detection, operators used Virtual Private Servers to hide their real locations. Some racket leaders also ran websites selling these bots commercially, with prices ranging significantly.

During peak booking times, automated traffic was estimated to account for up to 50% of all login attempts, leaving honest travellers competing for what was effectively a rigged lottery. The Tatkal premium that passengers paid to guarantee last-minute access was, in effect, being captured by criminal networks who had industrialised the booking process.

The scale of the data problem became apparent through a series of serious security incidents. In 2020, personal information of over nine million Indian railway ticket buyers, including their IDs, was found online. An October 2019 incident had already exposed an unprotected database affecting over two million records, including 583,000 unique email addresses, usernames, and plain-text passwords, with the breach only made public in January 2020. A later incident saw over 30 million railway passenger records compromised, including names, contact information, and travel history — attributed to vulnerabilities in IRCTC's database and a lack of proper access controls.

As recently as 2024, a cybersecurity researcher discovered a critical vulnerability in IRCTC's insurance portal. The flaw allowed anyone to enter random PNRs and fictitious mobile numbers to access other passengers' travel details and modify nominee information on their insurance policies — with no OTP or security question required. The researcher reported the issue to CERT-In on July 23, 2024, and it was fixed by July 30 — but it underscored how the security posture of auxiliary services connected to IRCTC remained inconsistent.

Chapter Four: The Crackdown — What 2025-26 Actually Represents

Against this backdrop, the 2025-26 security figures represent a genuinely significant shift in IRCTC's approach, even if they do not represent a complete solution.

Deactivating 3.03 crore suspicious user IDs is not a bureaucratic exercise — it is the dismantling of a multi-year accumulation of fraudulent infrastructure. According to the Railway Minister, fraudulent accounts and automated bots had long been used by touts to bulk-book tickets within seconds of release and resell them at higher prices. The move aimed to ensure genuine passengers have fair access. The filing of 501 complaints on the National Cyber Crime Portal regarding 4.18 lakh suspicious PNRs indicates that IRCTC is now treating platform fraud as a law enforcement matter rather than simply a customer service issue — a meaningful doctrinal shift. 

The blocking of 13,343 fraudulent email domains addresses one of the primary tools used to create fake accounts at scale: disposable or catch-all email addresses that allowed fraudsters to generate thousands of IRCTC registrations without any real identity behind them. Subjecting 6.05 crore IDs to revalidation is an even more ambitious undertaking — essentially auditing the entire active user base for authenticity.

The AI and machine learning systems now tracking and deactivating bulk booking agents represent the sharpest technology deployed in this fight. During Tatkal windows specifically — where the problem of bot competition is most acute — these systems flag and neutralise suspicious activity in real time. The result is visible in the record numbers: around 88% of train tickets are now booked digitally rather than through reservation counters, and average daily bookings have risen from 13.88 lakh in 2024-25 to 14.53 lakh in 2025-26, suggesting that real capacity is being reclaimed from fraudulent actors. 

Chapter Five: The Problems That Remain

The 2025-26 numbers should not be read as a declaration of victory. They are progress reports from a war that is not over.

Server crashes during Tatkal windows remain a persistent, embarrassing reality. Similar outages have been observed before major festivals like Diwali for several consecutive years, with users receiving error code 109: "The server is currently unable to process the request." The limited capacity of the IRCTC platform to handle maximum traffic during peak periods continues to cause slowdowns and outages. As recently as April 2026, users faced app crashes, endless loading screens, and sudden errors just as they were about to complete Tatkal bookings. Reports described failed transactions, delayed responses, and bookings slipping into waitlist status within seconds of the window opening. 

IRCTC's response to one recent crash — introducing a "Resume/Retry Booking" feature allowing users to complete transactions without paying again if money was already deducted — was described aptly by one observer as "a step in the right direction, but it feels more like damage control than a permanent solution." 

The revamped IRCTC website, with a July 15, 2026 launch deadline, has been promised to address long-standing complaints over captcha verification issues, website crashes, OTP delays, and booking failures during Tatkal bookings. Whether it delivers is a question that millions of passengers will answer in real time within weeks of this article's publication. 

The deeper structural tension is one that no website redesign fully resolves: the Tatkal system places millions of users in a first-come-first-served race for a small number of seats, with the opening moment acting as a guaranteed traffic spike. That architecture is inherently crisis-prone, and the question of whether to redesign the ticketing logic rather than simply upgrade the servers has not been seriously answered.

On the data security front, Indian organisations face an average of 3,291 weekly cyberattacks — 44% more than the global average, and IRCTC, as the custodian of travel data for hundreds of millions of citizens, remains a high-value target. The partial accountability — past breaches attributed to third-party partners rather than IRCTC's own servers — reflects a supply chain security problem that the 2025-26 measures do not fully address. 

The Larger Picture

What IRCTC's journey illustrates is something that India's broader digitalisation story exemplifies: the transition from an offline system captured by intermediaries does not automatically produce equity. It produces a new arena, in which the same dynamics — the advantage of those with better tools, more resources, or fewer scruples — play out at digital speed and scale.

The 3 crore deactivated IDs are not, primarily, a cybersecurity story. They are a social equity story. Every fake ID represented a displacement of a genuine passenger from a seat they had a right to. Every bot that swept the Tatkal window in under 60 seconds was, in effect, a digital tout charging an invisible premium — just without a face at a station counter.

The milestones of 2025-26 — the record bookings, the AI-powered fraud detection, the law enforcement complaints, the identity revalidations — represent real institutional learning from a history of failure. The platform that once crashed under the weight of its own users, leaked data at scale, and lost the Tatkal window to bot networks has demonstrably improved. The question is whether the improvement is fast enough, comprehensive enough, and structurally deep enough to keep pace with fraudsters who will now adapt in turn — and whether the core infrastructure can hold up when hundreds of thousands of genuine passengers try to book a ticket at precisely the same second.

For those passengers, the next test comes every morning at 10 AM.