New Delhi: A security lapse by Indian Oil Corporation-run (IOC) gas company, Indane, exposed Aadhar details of close to 68 lakh customer on its website, a French security expert has claimed. Part of the website, which is only supposed to be accessible with a valid username and password, was indexed in Google, media reports said. This allowed any person using the Internet to skip the login page and get unfettered access to the dealer database. Indane, an LPG brand owned by IOC, has over 9 crore customers in the country. French security researcher Baptiste Robert, who goes by the online handle Elliot Alderson, wrote in a blog post that the Aadhaar information of nearly 68 lakh dealers and distributors of Indane was left exposed. He has also exposed Aadhar leaks in the past.
Second time Indane involved in data leak
This is the second instance that Indane has been involved in a data leak controversy as a security researcher last year found an endpoint on an Indane-run system that allowed anyone to download Aadhaar details. Using a custom-built script to scrape the database, Alderson said he found customer information for 11,000 dealers as well as their confidential Aadhaar numbers. Alderson claimed that until his IP was blocked, 58 lakh Indane customers were affected by this leak.
No Aadhar data leak, IOC says
IOC denied any leak of Aadhar information, saying in a statement that “Indian Oil in its software captures only the Aadhaar number which is required for LPG subsidy transfer. No other Aadhaar related details are captured by Indian Oil. Therefore, leakage of Aadhaar data is not possible through us.” “In the past, oil marketing companies on time-to-time basis were hosting the consumption of subsidised LPG refills by consumers, multiple connection list having customer information like consumer number, name, LPG ID, address, in public domain (transparency portal) in their respective websites which was available for social audits,” it said.