The official website of the popular state-owned LPG gas company Indane was found to be leaking the personal details of its millions of customers including their Aadhaar number. The data breach was discovered by French security researcher Baptiste Robert known by the nickname “Elliot Alderson” on Twitter together with the help of an Indian researcher who doesn’t want to disclose his details.
Aadhaar card contains a unique number which is assigned to every citizen in India as part of India’s biometric identity program maintained by the government’s Unique Identification Authority of India (UIDAI). This is not the first time that the Aadhaar details has been leaked.
An anonymous Indian researcher first found a loophole in the Indane’s online dealers’ portal which allowed anyone to access the customers data related with their respective dealers without the need of any authentication. He then shared his findings with Robert who had earlier exposed several Aadhaar related leaks and security weaknesses in other Indian websites.
On his analysis Robert discovered that it is possible for the cyber criminals to collect millions of Indian citizens data from the Indane website if they are aware of the dealer’s username, which was found using another vulnerability in the Indane’s official mobile app.
The vulnerability in the mobile app let Robert to find 11,062 valid dealer IDs, from which he used 9490 IDs against the online dealer’s portal to fetch personal data of 5.8 million users, including their Aadhaar numbers, names and residential addresses.
The vulnerability was reported to the Indane which is owned by the Indian Oil Corporation, on 15th February, for which they did not respond after which the news was made public on 19th February.
As a response to this news, the Indian Oil Corp Ltd, tweeted stating that there was no leak of Aadhaar data through Indane website.
They also made statement protecting the Aadhaar and Indian Government by saying that
“IndianOil in its software captures only the Aadhaar number which is required for LPG subsidy transfer. No other Aadhaar related details are captured by IndianOil. Therefore, leakage of Aadhaar data is not possible through us.”
“In the past, Oil Marketing Companies on time to time basis were hosting the consumption of subsidized LPG refills by consumers, multiple connections list having customer information like consumer number, name, LPG ID and address, in public domain (transparency portal) in their respective websites which was available for social audits.”
“There is no Aadhaar number hosted on this website.”