Since its inception, Aadhaar has been far from a secure system. But at the very least, you'd hope it couldn't be abused to get things like your full residential address.
Well, you'd be wrong, as shown by this latest leak from one of the biggest LGP providers.
State-owned gas company Indane has apparently left a part of its database for dealers and distributors exposed, despite the fact that it's supposed to only be accessible with a username and password. As such, it was indexed by Google, allowing anyone with the requisite know how to bypass the login altogether.
Also Read:?Your Worst Fears Are Realized: Aadhaar Has Been Hacked With A Rs 2,500 Software Patch
Cybersecurity researcher Baptiste Robert publicised the leak in a Medium post, describing how he received the tip from another white hat hacker that preferred to remain anonymous. After all, the Unique Identification Authority of India (UIDAI) has been known to respond to reports of the system's leaks with claims of "fake news", and following it up with police complainsts. Robert goes by the handle ElliotAlderson on Twitter, and has previously been responsible for figuring out a number of other Aadhaar breaches.
When investigating the bug, Robert says he built a script of his own to scrape data from the database (and from the Indane Android app), recovering the details for 11062 ?LPG dealers. He tested the details of 5,826,116 exposed customers and found their details to be valid. By extrapolating the data, that means 6,791,200 Indane LPG customers have had their Aadhaar details leaked online, including their name, Aadhar number, and full address.
Robert says he received the tip on February 10, and had confirmed enough data by February 15 to disclose the breach to Indane. With no response from them four days later, he made the public disclosure online.
Also Read:?An Online Researcher Hacked Into Aadhaar's Official Android App To Show How Poorly It's Secured
Baptiste Robert
It's only the latest in a series of breaches in the Aadhaar system, and the second involving Indane. In 2018, they were found to be leaking data from another endpoint with a direct connection to the official Aadhaar database.
The question is, will the umpteenth breach be enough to affect change in the Aadhaar system's flimsy security? Or will the authorities just continue with their hand waving and empty platitudes instead of fixing the serious data privacy serious problem?