Update on February 20:

Indane denied the leak of any Aadhaar data, stating that its website did not host any Aadhaar numbers. The state-owned company pointed out that its software “captures only the Aadhaar number which is required for LPG subsidy transfer. No other details are captured by IndianOil. Therefore leakage of Aadhaar is not possible through us.”

Security researcher Baptiste tweeted that the Indane shut down the affected dealer portal within 3 hours of TechCrunch reporting the story. After denying the leak, the Indane website was down “for maintenance,” he tweeted.

Earlier on February 19

Indane Gas leaks Aadhaar nos, names and addresses of 5.8M customers online

Government owned gas company Indane – which has 90 million customers – leaked the Aadhaar data of 5.8 million customers’ on its dealer and distributor website. Security researcher Robert Baptiste, who goes by Elliot Alderson (fs0c131y) on Twitter, received a tip-off about the exposure from an anonymous security researcher.

Meanwhile, the UIDAI has not issued a statement towards any effect on the breach.

Upon investigation, Baptiste found the customer data linked to 11,000 dealers, and the Aadhaar data of at least 5.8 million customers, along with their names and addresses. The information is meant to be accessible with a valid dealer username and password. However, a part of the Indane website was indexed on Google, which allowed anybody to circumvent the login page and get access to the dealer database.

Baptiste, who wrote a detailed post on his findings, claims that the total Aadhaar numbers exposed could be up to 6.7 million. Baptiste provided his findings to TechCrunch, which first reported the leak. The following in from Baptiste’s post:

By running this script, it gives us 11062 valid dealer ids. After more than 1 day, my script tested 9490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak.

Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200

Its worth noting that Indane had faced another Aadhaar breach last year. ZDNet had reported that the breach was much wider and provided direct connection to the Aadhaar database, possibly affecting anybody with an Aadhaar card. As always, the UIDAI had denied the report, and the breach, stating that “there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure”.

Also read: Consumer contact details freely available on Bharatgas site; Privacy? (From 2015)

Aadhaar data leaked on Jharkhand state website

The leak comes days after the Aadhaar numbers of 166,000 (1.6 lakh) government employees were leaked due to a vulnerability in a Jharkand government web system. The system had been left exposed without password protection since 2014, allowing anybody access to names, job titles, partial phones numbers, and Aadhaar numbers of the employees.

In this case as well, a subdomain of the Jharkhand government’s website was indexed on Google, and could be easily found. The subdomain contained cached copies of the site, and attendance records of government employees which also contained their Aadhaar numbers.

Last week, the Union government asked for the dismissal of an Aadhaar related petition in the Delhi HC. Filed by lawyer and professor Shamnad Basheer, the petition claimed damages due to inadequate security and multiple breaches related to Aadhaar, and asked, among other things, that all the existing Aadhaar numbers be deleted. The Centre sought dismissal of the petition on the grounds that the Supreme Court had already given a final ruling on the Aadhaar matter.

Further reading: