Data Leak Exposes Sensitive Aadhaar Information of Millions
A recent security oversight has exposed the personal data of millions of customers belonging to Indane, a state-owned liquefied petroleum gas (LPG) company in India. The breach, discovered by French security researcher Baptiste Robert, also known as “Elliot Alderson” on Twitter, highlights ongoing vulnerabilities within third-party databases that risk the privacy of Indian citizens’ Aadhaar numbers—a unique identification number assigned to each citizen under India’s biometric identity program.
The breach was identified through an unprotected portal accessed by dealers of Indane. Shockingly, this loophole allows unauthorized individuals to download sensitive information, including customers’ names, addresses, and Aadhaar numbers, without any form of authentication. This lapse, described by Robert in a Medium blog post, rests on the absence of proper security measures in the local dealers’ portal associated with the company.
Previous incidents of Aadhaar data leaks have raised alarm bells regarding the handling of personal information within India’s digital frameworks, particularly those maintained by the Unique Identification Authority of India (UIDAI). In this case, an anonymous Indian researcher initially flagged the vulnerability, prompting Robert to delve deeper into the ramifications of the security flaw.
Robert’s investigation revealed that attackers could readily extract millions of citizens’ data—given that they possess the correct dealer usernames. His analysis relied on a separate vulnerability found within Indane’s mobile application, enabling him to uncover 11,062 valid dealer IDs. After utilizing 9,490 of these IDs, he successfully obtained personal details from approximately 5.8 million users.
The researcher noted with concern that, had his IP not been blocked, he could have accessed data pertaining to an estimated 6.79 million customers. He informed Indane of the issue in February but made his findings public only after receiving no acknowledgment from the company.
In response to the growing outcry surrounding this data leak, Indian Oil Corporation, which owns Indane, issued a statement asserting that there has been no leak of Aadhaar information from their site. They emphasized their protocol only captures Aadhaar numbers necessary for subsidy transfers, refuting claims of a comprehensive breach. Furthermore, they pointed out that previous disclosures involving customer data had been part of transparency initiatives meant to facilitate social audits.
Critics, however, maintain that the hacker community’s findings contradict this defense. A deeper inspection of the data sample corroborates that the Indane site does, in fact, host Aadhaar numbers—albeit not prominently displayed, but rather embedded within URL links associated with each customer’s ID.
This incident raises crucial questions about data security measures deployed by businesses interfacing with sensitive customer information. From a cybersecurity perspective, it underscores the necessity for robust protective measures, including effective access controls and encryption protocols, to thwart unauthorized data access. According to the MITRE ATT&CK framework, potential tactics that could be relevant in this situation include initial access and data exfiltration—both indicators of a broader vulnerability in data management practices.
As organizations globally observe the repercussions of data breaches, this incident serves as a stark reminder of the responsibility firms have to safeguard sensitive personal information against exposure, thereby maintaining trust and compliance with regulatory standards.
