A French security researcher has claimed that he has found a lapse that has allegedly exposed millions of Aadhaar numbers of dealers and distributors who are associated with Indane, which is an Indian Oil Corporation-owned LPG brand.
The researcher, named Baptiste Robert, can be found online as Elliot Alderson has also exposed Aadhaar-related leaks in the past. On Monday, he wrote in a blog post on Medium that data of Indane’s 6.7 million dealers and distributors, which is accessible only with a valid username and a password, has been left exposed.
According to Alderson, “Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers.”
Alderson could find the customer data of almost 11,000 dealers and this included the names and addresses of customers. He got this information using a custom-built script that was made to scrape the database, however, before he could find out more, his IP was blocked by Indane.
He also said in his blog post, “I wrote the python script. By running this script, it gives us 11062 valid dealer ids. After more than 1 day, my script tested 9,490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak.”
The French researchers could find a total of 5.8 million records of Indane customers before his script was blocked.
He further added, “Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1,572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200.”
Indane and the Unique Identification Authority of India (UIDAI) have not as yet commented about the data breach.
We should point out that according to Wikipedia, Indane serves more than 90 million families through a network of 9100 distributors. The website also states that 27% of Indane’s customer base resides in semi-urban or rural markets and every second LPG cooking gas connection in India is by the company.