Aadhaar data leak: Gas company Indane leaves data of 6.7mn customers exposed on its website

Yet another Aadhaar data leak has come to light. This time involving the Indian Oil Corporation owned gas agency Indane. This is a repeat of the **many Aadhaar leaks** we have seen in the past, where Aadhaar data stored on a website has been left exposed because of bad security practices. [caption id=“attachment_5790571” align=“alignnone” width=“1024”] A man goes through the process of eye scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre in New Delhi, India. Image: Reuters[/caption] According to a report in TechCrunch, local gas company Indane had left part of its website exposed to dealers and distributors who could access the Aadhaar data using a valid user name and password. But thanks to not having enough security measures in place, part of the website was indexed in Google searches, giving anyone unfettered access to the database — even without any login details. Indane has around 90 million total customers across India. The exposed data was brought to notice by a security expert who wants to remain anonymous. French security researcher Robert Baptiste who goes by the Twitter handle Elliot Alderson used a custom-built Python script to scrape this database and was able to customer data for 11,000 dealers. This data included the name and addresses of customers as well as their Aadhaar numbers. According to Baptiste, he was able to get details of 5.7 mn Indane customers before his script was blocked. Baptiste even studied the Android app of Indane, which had a ‘Locate your Distributor’ section in its code. Using his custom Python script, Baptiste was able to get 11,062 valid dealer IDs. “After more than 1 day, my script tested 9490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak,” said Baptiste in his blog post. Baptiste even said that he had disclosed the leak to Indane, but did not get any response from them. However, the Indian Oil Corporation ltd dismissed the report saying there was no such data leak through the Indane website. It also said that the software of the Indian Oil only captures only the Aadhaar number and no other details for LPG subsidy transfer. It further clarified that no Aadhaar number was hosted on the official website of Indane.

There is no leak of #Aadhaar data through #Indane website pic.twitter.com/sHje42Ba5e

— Indian Oil Corp Ltd (@IndianOilcl) February 19, 2019

This is a **second time that Indane has leaked Aadhaar information** . In 2018, a security researcher had found an endpoint on the system run by Indane which would let anyone download Aadhaar details. Earlier this month,  **Aadhaar details of thousands of govt of Jharkhand employees were found exposed** thanks to a lapse in security. Employees using the Aadhaar biometric attendance system to mark their attendance had their details exposed as the servers holding this information had been without a password since 2014. The details available, for anyone looking in the right place, included Aadhaar numbers, names, job titles, email IDs and partial phone numbers. Around 166,000 employees’ data had been left exposed.