Researcher: Indane Leaks Aadhaar Data on 6.7 MillionData Reportedly Leaked From State-Owned Gas Company's Website
French cybersecurity researcher Baptiste Robert, who goes by the name Elliot Alderson on Twitter, has once again exposed an apparent Aadhaar leak. The latest leak, which occurred on state-owned gas company Indane's website, exposed data of as many as 6.7 million customers, the researcher claims.
In a post on Medium, Alderson broke down how the section of Indane's website meant for dealers and distributors was exposing as many as 6.7 million Aadhaar numbers through this leak. He says the leak was brought to his attention through a private message on Twitter.
Researchers say that Indane's portal for dealers and distributors can only be accessed by a valid username and password. But Alderson wrote in his blog that because this portion of the website was indexed on Google, it could be accessed by anybody without having to log in.
This isn't the first time that Indane Gas has been involved in an Aadhaar data leak. Last year, the gas and energy company was found leaking data from an endpoint with a direct connection to Aadhaar's database. This was discovered by New Delhi based security researcher Karan Saini.
In the latest case, Alderson says he used a custom-built script and found customer details for 11,000 dealers. The data retrieved included customer names, addresses and Aadhaar numbers. In his blog, he writes that he was able to access 5.8 million customer records before his script was blocked by Indane, but he estimates that as many as 6.7 million customers could have been affected by this leak.
Unlike certain other Aadhaar breaches, where some security experts blamed the Unique Identification Authority of India for lapses, this time, the gas company apparently bears the blame.
"The latest Aadhaar breach happened not at the UIDAI end but at the Indane Gas end as the state-owned gas distributor did not have a proper authentication mechanism on the distributor portal," says Venkata Satish G, director of security at Rediff, a news, information and shopping portal.
Some security experts, however, are calling on UIDAI to impose financial penalties on organizations that fail to adhere to basic security practices, leading to leaks of Aadhaar information and other data.
Last year, Alderson exposed many vulnerabilities on Indian government websites including Bharat Sanchar Nigam Limited, or BSNL, the state-run telecommunications company.
How the Latest Leak Happened
Alderson says that he got an anonymous tip about Indane leaving Aadhaar details exposed on its website. TechCruch claims to have separately verified some Aadhaar numbers from the exposed database with UIDAI's own web-based verification tool. Each of them got a positive match.
Some security experts surmise that because there was a lack of authentication, Alderson ran a script with distributor IDs fetched from Indane's Android App, which gives details of its distributors. He was then able to fetch customer details for about 11,000 distributors.
"Due to a lack of authentication in the local dealers portal, Indane not only leaked the names and addresses of its customers but also their Aadhaar numbers," Alderson says.
Indane did not immediately reply to a request for comment.
Although all organizations that handle Aadhaar data has been repeatedly instructed to store the data in an encrypted format, relatively few have taken this step, contends Rakesh Goyal, a CERT-In certified auditor.
"UIDAI until now has taken little action against private firms leaking Aadhaar data, let alone government agencies," he says. "In the past, it has never penalized state government websites responsible for Aadhaar data leak.
"There is absolutely no fear among these agencies in leaking Aadhaar data. The UIDAI can take strict action under the Aadhaar Act, but whether it will it take is anybody's guess."