The Indian state gas company is leaking millions of Aadhaar numbers


Another safety decay has exposed millions of Aadhaar numbers.

This time Indian state-owned Indane showed part of its website for dealers and distributors, although it should only be accessible with a valid username and password. But the part of the site is indexed in Google, allowing everyone to bypass the sign-in page and have unrestricted access to the dealer database.

The data was found by a security investigator who wanted to remain anonymous because of the fear of retaliation by the Indian authorities. Aadhaar's regulator, the Unique Identification Authority of India (UIDAI), is known for quickly denying reports of data leaks or exposures, critical news articles "fake news," and threatening legal action and filing complaints from the police against journalists.

Baptiste Robert, a French security researcher who is the deal with Elliot Alderson online and has previous experience in studying Aadhaar exposures, examined the exposure and delivered the results to TechCrunch. Using a custom script to scrape the database, he found customer data for 11,000 dealers, including customer names and addresses, as well as the confidential Aadhaar number of the customer that was hidden in the link of each record.

Robert, who explained more about his findings in a blog, found 5.8 million Indane customer records before his script was blocked. In total, Robert estimated that the total number of affected 6.7 million customers could outperform.

We have verified a sample of Aadhaar numbers from the site using UIDAI's own web-based authentication tool. Each record came back as a positive match.

A screenshot of the unverified access to Indane's dealer portal, with sensitive information about millions of Indian citizens. This was a dealer that had 4,034 customers. (Image: TechCrunch)

It is the last safety drop with Aadhaar data and the second time to trade Indane. Last year, the gas and energy company found leaking data from an endpoint with a direct connection to the Aadhaar database. This time, however, it is assumed that the leak is limited to its own data.

Indane reportedly has more than 90 million customers across India.

The exposure only comes a few weeks after an Indian state has leaked the personal information of more than 160,000 government employees, including their Aadhaar numbers.

Aadhaar numbers are not secret, but are treated as confidential and private information similar to social security numbers. More than 90 percent of the Indian population, about 1.23 billion citizens, are registered in Aadhaar, who use the government and some private companies to verify identities. The government uses Aadhaar to register citizens in government services, such as voting, or applying for social assistance or financial assistance. Some companies have also encouraged customers to register their bank accounts or telephone services with their Aadhaar identity, but this was recently struck down by the Supreme Court of the country. Many say that linking their Aadhaar identity to their bank accounts has led to fraud.

Probably the exposure will raise new concerns that the Aadhaar system is not as safe as UIDAI has claimed. Although few of the security incidents have caused a direct breach of Aadhaar's central database, the weakest link remains the companies or government departments that rely on the data.

We have contacted both Indane and UIDAI, but have not heard anything.