How gas corp Indane compromised Aadhaar data once again, explained

According to a report, a state-owned gas company in India leaked user’s UIDAI data, including consumers’ Aadhaar numbers, to distributors.

TechCrunch reports Indane gas “exposed a part of its website for dealers and distributors even though it’s only supposed to be accessible with a valid username and password”.

To make matters worse, this part of the website was indexed in Google; this meant it would appear in searches related to Indane, making the leaked data accessible to anyone.

Details on the data leak

Reported by an anonymous source, French security analyst Baptiste Robert has confirmed the leak. Robert scraped Indane’s database and gained access to 11,000 customers’ Aadhaar numbers hidden in links to each of their records.

He then matched the numbers to the verification tool used by Unique Identification Authority of India, which regulates Aadhaar.

The customers’ names and addresses were leaked, as well. According to TechCrunch, this might impact more than 6.7 million Indians.

This is the second time Indane has found itself at the centre of a storm regarding security. ZDNet investigated a previous incident where Indane was leaking Aadhaar data through an unsecured endpoint or URL on its domain.

Indane and the National Informatics Centre allegedly ignored this issue for several weeks despite ZDNet’s inquiries. However, after ZDNet aired its story, the endpoint was pulled offline.

Security issues with Aadhaar

The concept of a centralised database for Indians has been so hotly debated that it has reached the SC.

The public is concerned about two major issues: the government having access to their fingerprints and biometric data might lead to an abuse of power, and the mere existence of such an IT system makes it vulnerable to hacking and leakage.

After the controversy surrounding the government’s decision to make Aadhaar mandatory for bank accounts, caste certificates, and welfare schemes, several petitioners moved the SC for a verdict on the constitutionality of the Aadhaar system.

In 2017, the SC ruled that Indians do have a right to privacy; it, however, clarified that Aadhaar does not violate that right or the Constitution because it collects minimal data.

Even then, the system has been the focus of security issues. HuffPost reported that a citizen’s Aadhaar credentials were breached and used to make transactions at different locations.

In February, an online system that stored employee information was compromised, exposing the Aadhaar numbers of over a lakh government employees in Jharkhand. This website was also indexed on Google.

Vice President of FireEye Steve Ledzian said, “Digital transformation promises to bring significant economic gains to India, but only if cyber security keeps pace; and since more personal data is being created and stored by more organisations, security measures must also be resourced commensurately.”

While streamlining data and storing it digitally is the way forward for India, the public is right to be concerned about misuse and unauthorised access to their most intimate and closely guarded details.

Indane’s response

Indane took to Twitter to post a statement addressing the leak:

“IndianOil in its software captures only the Aadhaar number which is required for LPG subsidy transfer. No other Aadhaar details are captured by IndianOil. Therefore, leakage of Aadhaar data is not possible through us. In the past, Oil Marketing Companies on time to time basis were hosting the consumption of subsidized LPG refills by consumers, multiple connections list having consumer information like consumer number, name, LPG ID and address, in public domain (transparency portal) in their respective websites which was available for social audits. There is no Aadhaar number hosted on this website.”

Rhea Arora is a staff writer at Qrius

AadhaarData PrivacyIndaneIndian Oil Corporation