LPG brand Indane leaks Aadhaar data of dealers and millions of customers
Another Aadhaar related security lapse has come to light. Indane, an LPG brand owned by the Indian Oil Corporation (IOC), has reportedly leaked millions of Aadhaar numbers of dealers, distributors and customers associated with the LPG brand.
The data leak was found by French security researcher Robert Baptiste, who goes by Elliot Alderson on Twitter. The researcher has prior experience in exposing Aadhaar-related vulnerabilities. In a blogpost on Medium, Elliot writes that Aadhaar data of 11,062 dealers, and a total of 6,791,200 (6.7 million) customers are affected.
Since the post was published, the dealer's site has been taken down.
Using a custom-built script to expose the security lapse, Elliot claimed he was able to find customer data for nearly 11,000 dealers, including names and addresses of 5.8 million Indane customers, before his IP was allegedly blocked by the company.
"I wrote the Python script. By running this script, it gives us 11,062 valid dealer ids. After more than one day, my script tested 9,490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak," he wrote.
Elliot highlighted that by simply modifying the value of the dealerID parameter on Indane's dealer portal, he could access the consumer information of another dealer. "So due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers" he added.
YourStory reached out to Unique Identification Authority of India (UIDAI) for a comment on this data leak, but there has no been response so far. We will update the story as soon as we hear from them.
The debate around Aadhaar's security has existed ever since it came into being in 2013. As UIDAI claims that the 12-digit ID covers 97 percent of the India's population, this means the Aadhaar database is one of the largest government databases on the planet, which contains both the demographic as well as biometric data of citizens.
Apart from security concerns, Aadhaar also raised a debate around citizen's privacy, as it gives access to a person's sensitive data such as health records, financial data, personal information, etc. The debate lead to a landmark verdict by the Supreme Court of India, which upheld the constitutional validity of the Aadhaar Act, and said that obtaining an Aadhaar ID remains voluntary.
Following reports of the data leak, Indian Oil denied Elliot's claims and said its website only captured the Aadhaar number to transfer subsidy. It posted the same on its website
(This story has been updated to include Indian Oil Corporation's reaction on the reported data leak)