Indian Oil Corporation on Tuesday denied claims by a French security researcher that the company’s Indane website leaked Aadhaar data of over 67 lakh customers.
Indane is a LPG brand owned by the Indian Oil Corporation (IndianOil).
Baptiste Robert, who goes by the online handle Elliot Alderson, wrote in a blog post on Medium on Tuesday that he investigated the issue after receiving an anonymous tip from a Twitter follower.
Alderson’s probe revealed that information in a part of the Indane website was not secured with adequate safeguards.
“Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers,” he wrote in the blog post.
IndianOil denied the claims saying that the company in its software captures only the Aadhaar number which is required for LPG subsidy transfer.
“No other Aadhaar related details are captured by IndianOil. Therefore, leakage of Aadhaar data is not possible through us,” IndianOil said in a statement.
“In the past, oil marketing companies on time to time basis were hosting the consumption of subsidised LPG refills by customers, multiple connections list having customer information like customer number, name LPG id, and address, in public domain (transparency portal) in their respective websites which was available for social audits. There is no Aadhaar number hosted on this website,” the statement added.
Alderson, who introduces himself to be the “worst” nightmare of Aadhaar regulator Unique Identification Authority of India (UIDAI), said that Indane has a total of 11,062 dealers but he could test only 9,490 dealers as Indane “probably” blocked his IP.
“My script tested 9,490 dealers and found that a total of 58,26,116 Indane customers are affected by this leak,” Alderson wrote in the blog post.
“Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1,572 dealers. By doing some basic math we can estimate the final number of affected customers around 67,91,200,” he added.
The Supreme Court last year upheld the legality of Aadhaar, while restricting it to disbursement of social benefits and junking its requirement for cell phones and bank accounts.
“The data which is been collected by all the government or non-government organisation can be misused in many ways. So it is wise to educate ourselves and others about the loss one can face,” Manan Shah, Founder and CEO, Avalance Global Solutions, told IANS in a statement.