Aadhaar data of estimated 67 lakh Indane gas customers leaked

By Digit NewsDesk | Updated 19 Feb 2019
Aadhaar data of estimated 67 lakh Indane gas customers leaked
  • As there were no credentials required to access a local dealer portal on Indane’s website, security researcher Elliot Alderson was able to collect Aadhaar and other data like name and addresses of over 58 lakh Indane customers.

Highlights:

  • Indane was leaking Aadhaar and other data of its customers. 
  • As per security researcher Elliot Alderson, the company’s website lacked authentication.
  • He developed a script to scrape Aadhaar number, name, consumer no, and address of over 58 lakh Indane gas users. 


There have been many concerns over leaking Aadhaar data of Indian citizens but UIDAI keeps reassuring people that there is no cause for panic since the service is foolproof. However, the French security researcher Robert Baptiste, who is better known by his Twitter account name Elliot Alderson, has published an article detailing how the Indian Oil Corporation-owned Indane LPG provider Indane was leaking Aadhaar numbers and data of more than 5.8 million Indane gas users. The security researcher claims that Indane was leaking Aadhaar and other data of its customers due to lack of authentication in the company’s local dealers website. 

advertisements

In a tweet, Alderson revealed the development and later tweeted that in less than three hours of releasing the info, Indian Oil shut down the affected dealer portal. “We tried to contact them through multiple ways during days. Nobody answered,” his tweet states. As per Alderson’s blog post, he received the tip from someone on Twitter, where he was sent a URL of the affected domain. He found that there are no credentials in place to restrict unauthorised access to the local dealers portal on Indane’s website and it was showing names, addresses and the Aadhaar numbers of their customers.

advertisements

A screenshot of the Indane Gas webpage that leaked private data of its customers (Via Elliot Alderson)

To figure out exactly how many users’ data was leaking, the security researcher developed a python script that can scrape the information from Indane’s servers. The script is said to have run for an entire day to obtain information on a total of 5,826,116 Indane customers. Soon after, the script stopped working and Alderson says it might be because his IP was blocked by Indane. Based on the time and amount of data his script managed to collect, he says that the final number of affected customers could be more than 67 lakh. There are finer details as to how the script worked, which you can read here on Elliot Alderson’s blog. 

advertisements

As per the researcher, he disclosed the vulnerability to Indane on February 15 and went ahead with the public disclosure today on February 19 as the company didn’t respond.

Update: Indian Oil has responded to the report that its servers were leaking Aadhaar data in a tweet. The company says there is "No Leak of Aadhaar Data" and that its software uses only the Aadhaar number for LPG subsidy transfer and so there is no Aadhaar data leak possible via IndianOil. The statement ends with "There is no Aadhaar number hosted on this website," where we presume that it is talking about the local dealers portal. 

If you are an Indian citizen, there’s a high chance you have enrolled for an Aadhaar card and have a 12-digit random number issued by the Unique Identification Authority of India (UIDAI). There have been numerous concerns and reports of Aadhaar data of Indian citizens being leaked. In 2017, around 210 Central and State government departments' websites were reportedly displaying personal details and Aadhaar numbers of beneficiaries. In September last year, a report claimed that there is a software priced at Rs 2,500 that enables anyone from anywhere in the world to generate Aadhaar numbers. 

Related Reads: 

Aadhaar data leaks amidst privacy debate, 210 government sites found displaying personal info

advertisements

UIDAI fails to address security loopholes exposed in Aadhaar identity database: Report

advertisements
Digit NewsDesk
The guy who answered the question 'What are you doing?' with 'Nothing'.
advertisements
ASK DIGIT

Recent Questions

Is Xiaomi making fun of Indian Customers?
Nitin Gupta
Sept 11, 2014
Responses 8
Vivek Bhatt
Sept 11, 2014
t ruth pushpalatha
Sept 11, 2014
Akash Sinha
Sept 11, 2014
Krishikesh Khairnar
Sept 11, 2014
satish k
Sept 11, 2014
Aditya Malpure
Sept 11, 2014
D JAYASHEELA
Sept 12, 2014
Hina
Sept 13, 2014
Comments
Be the first one to post the comment
Post a New Comment
You must be signed in to post a comment
advertisements